[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: RE: COPS-over-TLS v05 draft review]

To: rap@ops.ietf.org
Subject: [Fwd: RE: COPS-over-TLS v05 draft review]
From: Uri Blumenthal <uri@bell-labs.com>
Date: Fri, 28 Feb 2003 16:00:35 -0500

[ post by non-subscriber.  with the massive amount of spam, it is easy to miss
 and therefore delete posts by non-subscribers.  if you wish to regularly
 post from an address that is not subscribed to this mailing list, send a
 message to <listname>-owner@ops.ietf.org and ask to have the alternate
 address added to the list of addresses from which submissions are
 automatically accepted. ]

Folks,

This is from your friendly Security Advisor. (:-)

And since I'm not the member of this mailing list,
please kindly copy me on the relevant e-mails that
might occur in response to this posting. (:-)

Regards,
Uri.

-------- Original Message --------
From: "Hahn, Scott" <scott.hahn@intel.com>

...I think this should be posted to the list for discussion.
	-Scott

> From: Uri Blumenthal [mailto:uri@bell-labs.com]
>
> Here are the issues I see with the draft
> "draft-ietf-rap-cops-tls-05.txt".
>
> First, overall I want to see how it ensures that when both client and
> server can do security, it will be enabled. For example, a
> man-in-the-middle can modify the traffic to convince one party that
> the other one doesn't support security ("bid-down") and thus force
> them to establish an insecure connection even though they both are
> capable of secure communications. I would like to see a capability
> to enforce secure mode.
>
> Also, I would like to see scenarios based not [only] on whether
> client/server SUPPORTS security - but also on whether its POLICY
> REQUIRES secure connection to a given peer. If it was meant so,
> it isn't clear from the document.
>
>
> Details by sections:
>
> 4.2. So what should the client do after receiving the error?
>
> 4.3. So the server MAY send a ClientClose... Anything else
>       it "may" do? Nothing it "should" do in this case...?
>       What should an implementor do here?
>
> 4.4. Same as above.
>
> 4.7. Why is this subsection here? I'd say - remove it.
>
> 8. It is good to require PKI - what happens if CA isn't
>     available, isn't accessible, whatever?
>     Reverts to insecure?
>
>
>
>
> Thanks!
>
> Regards,
> Uri

Prev by Date: RE: authors 48 hours: RFC 3318 <draft-ietf-rap-frameworkpib-09.tx t> NOW AVAILABLE
Next by Date: RE: authors 48 hours: RFC 3318 <draft-ietf-rap-frameworkpib-09.tx t> NOW AVAILABLE
Previous by thread: RE: authors 48 hours: RFC 3318 <draft-ietf-rap-frameworkpib-09.tx t> NOW AVAILABLE
Next by thread: RE: [Fwd: RE: COPS-over-TLS v05 draft review]
Index(es):
- Date
- Thread