[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-ietf-rap-rsvp-authsession-05.txt

To: rap@ops.ietf.org
Subject: draft-ietf-rap-rsvp-authsession-05.txt
From: Louis-Nicolas Hamer <nhamer@nortelnetworks.com>
Date: Sun, 10 Nov 2002 21:01:13 -0500
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

Hi all,

As Bert has indicated, a set of comments from Eric Rescorla had not been addressed in the last revision.
The comments were related to the security aspects of the draft. A few modifications were made
to ensure the draft specified in more details some security aspects.
Summary of ALL changes:

-1: DNS Spoofing: Eric identified a DNS Spoofing issue. Because of this flaw,
a few fields were removed from the SOURCE_ADDR and DEST_ADDR S-TYPEs, specifically,
the FQDN, ASCII_DN & UNICODE_DN.

-2: Key rollovers: The example for shared symmetric keys was missing one
field, the AUTH_ENT_ID (I added that to the example). I also added the following clarification:
"Since multiple keys may be configured for a particular
   AUTH_ENT_ID value, the first 32 bits of the AUTH_DATA field MUST
   be a key ID to be used to identify the appropriate key.

-3: Time synch: Added a sentence to discuss why it is important.

-4: Changed "should" to "SHOULD" in the sentence: "Triple-DES encryption is supported in many Kerberos implementations
   (although not specified in [RFC-1510]), and SHOULD be used over
   single DES."

-5: PGP section: wrong terminology was used - It was removed.

-6: X.509 V3 section:
Clarified the certs and crls. Changed the X509_V3_CERT field to be a DN.

-7: Kerberos. Added the clarifications needed
about the client and server:
" In this request, the client
   (router/PDP) sends (in cleartext) its own identity and the identity
   of the server (the authorizing entity taken from the AUTH_ENT_ID field)
   for which it is requesting credentials .

-8: Clarifications added to section 6.4.
Clarifications added about the danger to rely upon an insecure database (such
   as DNS or a public LDAP directory).

Document available @
http://www.ietf.org/internet-drafts/draft-ietf-rap-rsvp-authsession-05.txt

Thanks to Bert for his helpfull assistance. And many thanks to Eric for his comments & suggestions.
The draft has been re-inputted into the RFC-Editor's queue.

Cheers,
L-N

Prev by Date: new revision for authsession document
Next by Date: I-D ACTION:draft-ietf-rap-rsvp-authsession-05.txt
Previous by thread: new revision for authsession document
Next by thread: I-D ACTION:draft-ietf-rap-rsvp-authsession-05.txt
Index(es):
- Date
- Thread