From stpeter@stpeter.im Tue Sep 6 13:27:44 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79D1321F8E7D for ; Tue, 6 Sep 2011 13:27:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.584 X-Spam-Level: X-Spam-Status: No, score=-102.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yM9XaO2jYrqc for ; Tue, 6 Sep 2011 13:27:43 -0700 (PDT) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id D97CD21F8E78 for ; Tue, 6 Sep 2011 13:27:43 -0700 (PDT) Received: from dhcp-64-101-72-178.cisco.com (unknown [64.101.72.178]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 4E43D418BB for ; Tue, 6 Sep 2011 14:32:25 -0600 (MDT) Message-ID: <4E6682A9.5030002@stpeter.im> Date: Tue, 06 Sep 2011 14:29:29 -0600 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1 MIME-Version: 1.0 To: IETF Security Area Advisory Group X-Enigmail-Version: 1.3.1 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: [saag] internationalized passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2011 20:27:44 -0000 During a discussion related to SASLprep (RFC 4013) on the KITTEN WG list, Nico Williams pointed out that during standardization of the SCRAM SASL mechanism there would not have been consensus to say that passwords must be ASCII (and therefore must not contain Unicode code points outside the traditional ASCII-7 range): http://www.ietf.org/mail-archive/web/kitten/current/msg02741.html This issue has also come up in the PRECIS WG, which is working on a generic replacement for stringprep and therefore will (we hope) provide a framework that can be used to replace SASLprep as the recommended way to prepare and compare Unicode code points in passwords. In particular, see Sections 3.2 and 10.4 of draft-ietf-precis-framework-00, which define and provide some security considerations regarding a string class we're calling the "SecretClass": http://tools.ietf.org/html/draft-ietf-precis-framework-00#section-3.2 http://tools.ietf.org/html/draft-ietf-precis-framework-00#section-10.4 As document editor of draft-ietf-precis-framework, I would appreciate feedback from folks in the Security Area about the proposed "SecretClass". I will forward this message to the PRECIS WG and ask participants in that WG to pay attention on the SAAG list if they're interested in the discussion. Peter -- Peter Saint-Andre https://stpeter.im/ From yaronf.ietf@gmail.com Tue Sep 6 14:03:09 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C82921F8DA0 for ; Tue, 6 Sep 2011 14:03:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.536 X-Spam-Level: X-Spam-Status: No, score=-103.536 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id st76U94OlOrY for ; Tue, 6 Sep 2011 14:03:08 -0700 (PDT) Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0872521F8DD0 for ; Tue, 6 Sep 2011 14:03:07 -0700 (PDT) Received: by wwf5 with SMTP id 5so4402993wwf.13 for ; Tue, 06 Sep 2011 14:04:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=F0wdgOkQsiC/qmHE22dpNI8ZCmtiAxqx4Z3rLoElZgI=; b=RFif1JT0I1upKQfHvRhGA5E0JnIffu1JXJ+/buSkP4+q+UCwTEvy/BWnRPioewHv9Y +rhfTxfnKH0QwFHZoQKI/8DGXduPKGNTPPH5BoMtH9p/xQu6RCi9rHT8FAK2CdvEh+x2 fH4cxlWxf2hjhJAcX/J9rsqkzyAUSMYgX10RE= Received: by 10.216.158.65 with SMTP id p43mr3976029wek.71.1315343094735; Tue, 06 Sep 2011 14:04:54 -0700 (PDT) Received: from [10.0.0.3] (bzq-79-181-242-252.red.bezeqint.net [79.181.242.252]) by mx.google.com with ESMTPS id fa3sm1428407wbb.3.2011.09.06.14.04.49 (version=SSLv3 cipher=OTHER); Tue, 06 Sep 2011 14:04:53 -0700 (PDT) Message-ID: <4E668AE5.7080700@gmail.com> Date: Wed, 07 Sep 2011 00:04:37 +0300 From: Yaron Sheffer User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1 MIME-Version: 1.0 To: Peter Saint-Andre , saag@ietf.org References: <4E6682A9.5030002@stpeter.im> In-Reply-To: <4E6682A9.5030002@stpeter.im> Content-Type: multipart/alternative; boundary="------------090902090202090904040501" Subject: Re: [saag] internationalized passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2011 21:03:09 -0000 This is a multi-part message in MIME format. --------------090902090202090904040501 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi Peter, it's quite obvious to me that Unicode must be supported. As a data point, this is our relevant text from RFC 6124 (EAP-EKE password authentication): This protocol supports internationalized, non-ASCII passwords. The input password string SHOULD be processed according to the rules of the [RFC4013 ] profile of [RFC3454 ]. A password SHOULD be considered a "stored string" per [RFC3454 ], and unassigned code points are therefore prohibited. The output is the binary representation of the processed UTF-8 [RFC3629 ] character string. Prohibited output and unassigned code points encountered in SASLprep preprocessing SHOULD cause a preprocessing failure and the output SHOULD NOT be used. And one feedback (I am not an I18N expert by any means, although I can write both LTR and RTL :-): how can you disallow space characters (presumably including ASCII SPACE) from the Secret Class? Thanks, Yaron On 6.9.2011 23:29, Peter Saint-Andre wrote: > During a discussion related to SASLprep (RFC 4013) on the KITTEN WG > list, Nico Williams pointed out that during standardization of the SCRAM > SASL mechanism there would not have been consensus to say that passwords > must be ASCII (and therefore must not contain Unicode code points > outside the traditional ASCII-7 range): > > http://www.ietf.org/mail-archive/web/kitten/current/msg02741.html > > This issue has also come up in the PRECIS WG, which is working on a > generic replacement for stringprep and therefore will (we hope) provide > a framework that can be used to replace SASLprep as the recommended way > to prepare and compare Unicode code points in passwords. In particular, > see Sections 3.2 and 10.4 of draft-ietf-precis-framework-00, which > define and provide some security considerations regarding a string class > we're calling the "SecretClass": > > http://tools.ietf.org/html/draft-ietf-precis-framework-00#section-3.2 > > http://tools.ietf.org/html/draft-ietf-precis-framework-00#section-10.4 > > As document editor of draft-ietf-precis-framework, I would appreciate > feedback from folks in the Security Area about the proposed "SecretClass". > > I will forward this message to the PRECIS WG and ask participants in > that WG to pay attention on the SAAG list if they're interested in the > discussion. > > Peter > --------------090902090202090904040501 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi Peter,

it's quite obvious to me that Unicode must be supported.

As a data point, this is our relevant text from RFC 6124 (EAP-EKE password authentication):
   This protocol supports internationalized, non-ASCII passwords.  The
   input password string SHOULD be processed according to the rules of
   the [RFC4013] profile of [RFC3454].  A password SHOULD be considered
   a "stored string" per [RFC3454], and unassigned code points are
   therefore prohibited.  The output is the binary representation of the
   processed UTF-8 [RFC3629] character string.  Prohibited output and
   unassigned code points encountered in SASLprep preprocessing SHOULD
   cause a preprocessing failure and the output SHOULD NOT be used.

And one feedback (I am not an I18N expert by any means, although I can write both LTR and RTL :-): how can you disallow space characters (presumably including ASCII SPACE) from the Secret Class?

Thanks,
    Yaron

On 6.9.2011 23:29, Peter Saint-Andre wrote: 
During a discussion related to SASLprep (RFC 4013) on the KITTEN WG
list, Nico Williams pointed out that during standardization of the SCRAM
SASL mechanism there would not have been consensus to say that passwords
must be ASCII (and therefore must not contain Unicode code points
outside the traditional ASCII-7 range):

http://www.ietf.org/mail-archive/web/kitten/current/msg02741.html

This issue has also come up in the PRECIS WG, which is working on a
generic replacement for stringprep and therefore will (we hope) provide
a framework that can be used to replace SASLprep as the recommended way
to prepare and compare Unicode code points in passwords. In particular,
see Sections 3.2 and 10.4 of draft-ietf-precis-framework-00, which
define and provide some security considerations regarding a string class
we're calling the "SecretClass":

http://tools.ietf.org/html/draft-ietf-precis-framework-00#section-3.2

http://tools.ietf.org/html/draft-ietf-precis-framework-00#section-10.4

As document editor of draft-ietf-precis-framework, I would appreciate
feedback from folks in the Security Area about the proposed "SecretClass".

I will forward this message to the PRECIS WG and ask participants in
that WG to pay attention on the SAAG list if they're interested in the
discussion.

Peter

--------------090902090202090904040501-- From stpeter@stpeter.im Tue Sep 6 14:23:37 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3178A21F8EBC for ; Tue, 6 Sep 2011 14:23:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.587 X-Spam-Level: X-Spam-Status: No, score=-102.587 tagged_above=-999 required=5 tests=[AWL=0.012, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lh4eo4fXc1FW for ; Tue, 6 Sep 2011 14:23:36 -0700 (PDT) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 754AF21F8E91 for ; Tue, 6 Sep 2011 14:23:36 -0700 (PDT) Received: from dhcp-64-101-72-178.cisco.com (unknown [64.101.72.178]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id CDFF1418C9; Tue, 6 Sep 2011 15:28:17 -0600 (MDT) Message-ID: <4E668FC2.6080809@stpeter.im> Date: Tue, 06 Sep 2011 15:25:22 -0600 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1 MIME-Version: 1.0 To: Yaron Sheffer References: <4E6682A9.5030002@stpeter.im> <4E668AE5.7080700@gmail.com> In-Reply-To: <4E668AE5.7080700@gmail.com> X-Enigmail-Version: 1.3.1 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: saag@ietf.org Subject: Re: [saag] internationalized passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2011 21:23:37 -0000 On 9/6/11 3:04 PM, Yaron Sheffer wrote: > Hi Peter, > > it's quite obvious to me that Unicode must be supported. I'm happy to hear it. :) > As a data point, this is our relevant text from RFC 6124 (EAP-EKE > password authentication): > > This protocol supports internationalized, non-ASCII passwords. The > input password string SHOULD be processed according to the rules of > the [RFC4013 ] profile of [RFC3454 ]. A password SHOULD be considered > a "stored string" per [RFC3454 ], and unassigned code points are > therefore prohibited. The output is the binary representation of the > processed UTF-8 [RFC3629 ] character string. Prohibited output and > unassigned code points encountered in SASLprep preprocessing SHOULD > cause a preprocessing failure and the output SHOULD NOT be used. Right. What we're trying to do in the PRECIS WG is define a way to perform such processing without a dependency on RFC 3454 (since stringprep is hardcoded to use Unicode 3.2). The intent is to make each new PRECIS string class as backward-compatible as possible with the relevant stringprep profile. So we're hoping that the SecretClass will produce output close to what SASLprep currently produces. At least, that is the goal... > And one feedback (I am not an I18N expert by any means, although I can > write both LTR and RTL :-): how can you disallow space characters > (presumably including ASCII SPACE) from the Secret Class? That was one point of contention. You're probably right that spaces are needed to suppose pass phrases instead of just pass *words*. > > Thanks, > Yaron > > On 6.9.2011 23:29, Peter Saint-Andre wrote: >> During a discussion related to SASLprep (RFC 4013) on the KITTEN WG >> list, Nico Williams pointed out that during standardization of the SCRAM >> SASL mechanism there would not have been consensus to say that passwords >> must be ASCII (and therefore must not contain Unicode code points >> outside the traditional ASCII-7 range): >> >> http://www.ietf.org/mail-archive/web/kitten/current/msg02741.html >> >> This issue has also come up in the PRECIS WG, which is working on a >> generic replacement for stringprep and therefore will (we hope) provide >> a framework that can be used to replace SASLprep as the recommended way >> to prepare and compare Unicode code points in passwords. In particular, >> see Sections 3.2 and 10.4 of draft-ietf-precis-framework-00, which >> define and provide some security considerations regarding a string class >> we're calling the "SecretClass": >> >> http://tools.ietf.org/html/draft-ietf-precis-framework-00#section-3.2 >> >> http://tools.ietf.org/html/draft-ietf-precis-framework-00#section-10.4 >> >> As document editor of draft-ietf-precis-framework, I would appreciate >> feedback from folks in the Security Area about the proposed "SecretClass". >> >> I will forward this message to the PRECIS WG and ask participants in >> that WG to pay attention on the SAAG list if they're interested in the >> discussion. >> >> Peter >> From mouse@Sparkle.Rodents-Montreal.ORG Tue Sep 6 21:43:45 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E658D21F8D60 for ; Tue, 6 Sep 2011 21:43:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.567 X-Spam-Level: X-Spam-Status: No, score=-9.567 tagged_above=-999 required=5 tests=[AWL=0.421, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4v13twVcFs5 for ; Tue, 6 Sep 2011 21:43:45 -0700 (PDT) Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG [216.46.5.7]) by ietfa.amsl.com (Postfix) with ESMTP id 165E321F8D63 for ; Tue, 6 Sep 2011 21:43:44 -0700 (PDT) Received: (from mouse@localhost) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id AAA23563; Wed, 7 Sep 2011 00:45:22 -0400 (EDT) Date: Wed, 7 Sep 2011 00:45:22 -0400 (EDT) From: Mouse Message-Id: <201109070445.AAA23563@Sparkle.Rodents-Montreal.ORG> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway. X-Message-Flag: Microsoft: the company who gave us the botnet zombies. X-Composition-Start-Date: Wed, 7 Sep 2011 00:40:15 -0400 (EDT) To: saag@ietf.org In-Reply-To: <4E668FC2.6080809@stpeter.im> References: <4E6682A9.5030002@stpeter.im> <4E668AE5.7080700@gmail.com> <4E668FC2.6080809@stpeter.im> Subject: Re: [saag] internationalized passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2011 04:43:46 -0000 >> it's quite obvious to me that Unicode must be supported. > I'm happy to hear it. :) I'm not entirely clear what the context here is, but you might want to at least consider that you'd be repeating the ssh mistake if you make this a MUST. (ssh, as specified, is unimplementable on some Unix variants, and quite possibly other OSes, because some things which the RFCs say MUST be in UTF-8, such as usernames or passwords, exist in the system as octet strings rather than character strings and thus inherently cannot be recoded. That ssh comes as close to working as it does is a testament to ASCII's ubiquity.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From turners@ieca.com Wed Sep 7 04:57:40 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 094B821F8C34 for ; Wed, 7 Sep 2011 04:57:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.904 X-Spam-Level: X-Spam-Status: No, score=-100.904 tagged_above=-999 required=5 tests=[AWL=-0.906, BAYES_50=0.001, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SFEw2Lh6ohpR for ; Wed, 7 Sep 2011 04:57:39 -0700 (PDT) Received: from nm23.bullet.mail.sp2.yahoo.com (nm23.bullet.mail.sp2.yahoo.com [98.139.91.93]) by ietfa.amsl.com (Postfix) with SMTP id 9BAD621F8C32 for ; Wed, 7 Sep 2011 04:57:39 -0700 (PDT) Received: from [98.139.91.62] by nm23.bullet.mail.sp2.yahoo.com with NNFMP; 07 Sep 2011 11:59:29 -0000 Received: from [98.139.91.16] by tm2.bullet.mail.sp2.yahoo.com with NNFMP; 07 Sep 2011 11:59:28 -0000 Received: from [127.0.0.1] by omp1016.mail.sp2.yahoo.com with NNFMP; 07 Sep 2011 11:59:28 -0000 X-Yahoo-Newman-Id: 977835.3047.bm@omp1016.mail.sp2.yahoo.com Received: (qmail 5473 invoked from network); 7 Sep 2011 11:59:28 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1315396768; bh=/HQZR5CAmyaB3btToz/lC8CbjTZLRYFhdFtUf0LGxfw=; h=X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding; b=z4rODbYklUAYLvFH/zpodQ0PsWCEQi/UPcTEzz2bSLWoIL94kmz5WZI1NBf5ID8mBvndAldrZ72BDSnfGOHZYJHnrK3V8ll/d/c4vEhkRmlLw9jSl1Xv1DY0D3cKqWAzO1Cf21vNPMmYAb2tYRdoxL07U5fUMR1P3M7zkZfE008= X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 8Pr5TygVM1mGPj55SRXehCFl2sF3.bfeFOr0kLC9GAGq7Sa 8bIqBa7jzX56FakercrX23S_p.FlSd0lD08XSsf1xxVuTvMRPgOCHdmX_sBj DEuGg5NZlVXjT4o3UfBt0xWyp2H.dECdmnuM24d_Q4HELUPZjOYnzwjKSvbz 1ijbvuY.jr7T_jPCb1A6HQT6u3w7iYAvxsG8f6WuRmsPk6ln2tzXHK8__DS7 yPmbOAgq0dIEvgJCzftdCXp2UW6QdZ7JhvtlrXLK65ll49KuFTc3.dU_Cq7L xOj1p6a7r0jm4eCGvPHyHUkUDlNS.7m9q7ejoOdfjlJ3NyQ4wgWkW7C0Qt7T u5c5tWSNN9MyFDeRg3Hlv3IQebCruhf68Dv66fwOmzO2OwQeLs9sXlHUGQGu D1wGKiXjEf_fFzczOgSl8FAKcJv9zkVRVG1eFnQ-- X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ Received: from thunderfish.westell.com (turners@96.241.2.207 with plain) by smtp111.biz.mail.sp1.yahoo.com with SMTP; 07 Sep 2011 04:59:28 -0700 PDT Message-ID: <4E675CA0.6090001@ieca.com> Date: Wed, 07 Sep 2011 07:59:28 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1 MIME-Version: 1.0 To: saag@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [saag] Call for SAAG presentation topics for IETF 82 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2011 11:57:40 -0000 All, Stephen and I are putting together the SAAG agenda for Taipei. The agenda traditionally includes one or two invited presentations after the working group reports. If you believe a topic would be of interest to the community, then please suggest it to us. If you can identify an appropriate presenter (not necessarily yourself) that would be helpful. Thanks, spt From hallam@gmail.com Wed Sep 7 08:43:16 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91EAE21F8C82 for ; Wed, 7 Sep 2011 08:43:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.68 X-Spam-Level: X-Spam-Status: No, score=-2.68 tagged_above=-999 required=5 tests=[AWL=-0.571, BAYES_05=-1.11, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XSrwG+HpH6Tu for ; Wed, 7 Sep 2011 08:43:12 -0700 (PDT) Received: from mail-gw0-f42.google.com (mail-gw0-f42.google.com [74.125.83.42]) by ietfa.amsl.com (Postfix) with ESMTP id 0AA5A21F8559 for ; Wed, 7 Sep 2011 08:43:11 -0700 (PDT) Received: by gwb17 with SMTP id 17so4544792gwb.15 for ; Wed, 07 Sep 2011 08:45:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=phGAJksxXimEiRZInNhdC44FfZMuHp3XvmfVXRoAR4g=; b=wN5mHIY+8IDBS2m82oTK2wL7Cqnh7CuMUo4XHw77Q8yZByVChYoizvh43/CBgDwaKy trCyExXlOLY3Dj1kX4wU8M2pmZ8FnCRtYnjC9+cjNxaC1CtjBjQEYpshG/Br/Bj45Jk3 4CQith1QyL0uMAA5bCRehK3CRu4P4E5RL6Y7s= MIME-Version: 1.0 Received: by 10.100.21.19 with SMTP id 19mr4903115anu.149.1315410301395; Wed, 07 Sep 2011 08:45:01 -0700 (PDT) Received: by 10.100.8.7 with HTTP; Wed, 7 Sep 2011 08:45:01 -0700 (PDT) Date: Wed, 7 Sep 2011 11:45:01 -0400 Message-ID: From: Phillip Hallam-Baker To: saag@ietf.org Content-Type: multipart/alternative; boundary=0016e64697a0bfa1fa04ac5bd383 Subject: [saag] Recent attacks on CA infrastructure X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2011 15:43:16 -0000 --0016e64697a0bfa1fa04ac5bd383 Content-Type: text/plain; charset=ISO-8859-1 As followers of this list are no doubt aware, there has been a recent series of attacks on CA infrastructure, apparently originating in Iran. The targets and timing of these attacks strongly suggest that the primary objective in these attacks is to gain access to social media accounts, in particular Twitter, Google, Facebook and other media employed by opponents demonstrating against the regime. The most recent attack has also targeted the CIA, Mossad and other sites run by intelligence agencies in an apparent attempt to compromise 'digital walkin' pages at those sites. After each of the attacks has been discovered, an individual has represented himself as the perpetrator to the media, purporting to be a lone actor, independent of any government agency. The simplest explanation of these facts is that the attacks were perpetrated by an agency of the Iranian government with the objective of gaining access to social media accounts used by opponents of the regime. It occurs to me that up till now the focus of the remediation efforts have been focused on the question of protecting the CA infrastructure from attack. While this is clearly necessary in itself, the ultimate target of the attack is the social media infrastructure, not the CA infrastructure. Thus rather than just looking at the one part of the system being targeted, we should look at the social media infrastructure and in particular the authentication mechanisms used by the social media infrastructure. In short, what is the simplest mechanism that could be used to replace the current password verification schemes in which the server receives an enclair password? The problem here is not to replace passwords on the Internet. It is only necessary for a scheme to be supported at the ten or twenty social media sites being targeted. It is only necessary for the million or so users of the Internet in Iran and Syria to upgrade their browsers to thwart the immediate attack. Both parties involved are highly motivated to make the necessary effort. The deployment challenge is thus rather different to that which OpenID and others have attempted to address. Getting granny to change her browser is very hard, getting every site to change their authentication scheme is hard. -- Website: http://hallambaker.com/ --0016e64697a0bfa1fa04ac5bd383 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable As followers of this list are no doubt aware, there has been a recent serie= s of attacks on CA infrastructure, apparently originating in Iran.

=
The targets and timing of these attacks strongly suggest that th= e primary objective in these attacks is to gain access to social media acco= unts, in particular Twitter, Google, Facebook and other media employed by o= pponents demonstrating against the regime.

The most recent attack has also targeted the CIA, Mossa= d and other sites run by intelligence agencies in an apparent attempt to co= mpromise 'digital walkin' pages at those sites.

After each of the attacks has been discovered, an individual has repre= sented himself as the perpetrator to the media, purporting to be a lone act= or, independent of any government agency.

The simp= lest explanation of these facts is that the attacks were perpetrated by an = agency of the Iranian government with the objective of gaining access to so= cial media accounts used by opponents of the regime.=A0


It occurs to me that up till now the foc= us of the remediation efforts have been focused on the question of protecti= ng the CA infrastructure from attack. While this is clearly necessary in it= self, the ultimate target of the attack is the social media infrastructure,= not the CA infrastructure.

Thus rather than just looking at the one part of the sy= stem being targeted, we should look at the social media infrastructure and = in particular the authentication mechanisms used by the social media infras= tructure. In short, what is the simplest mechanism that could be used to re= place the current password verification schemes in which the server receive= s an enclair password?

The problem here is not to replace passwords on the Int= ernet. It is only necessary for a scheme to be supported at the ten or twen= ty social media sites being targeted. It is only necessary for the million = or so users of the Internet in Iran and Syria to upgrade their browsers to = thwart the immediate attack. Both parties involved are highly motivated to = make the necessary effort.

The deployment challenge is thus rather different to th= at which OpenID and others have attempted to address. Getting granny to cha= nge her browser is very hard, getting every site to change their authentica= tion scheme is hard.=A0
--0016e64697a0bfa1fa04ac5bd383-- From joelja@bogus.com Wed Sep 7 09:50:43 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 633BE21F8CAA for ; Wed, 7 Sep 2011 09:50:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.372 X-Spam-Level: X-Spam-Status: No, score=-102.372 tagged_above=-999 required=5 tests=[AWL=0.227, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 547FKFEEAyh9 for ; Wed, 7 Sep 2011 09:50:43 -0700 (PDT) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id EBA0921F8CA9 for ; Wed, 7 Sep 2011 09:50:42 -0700 (PDT) Received: from Zorch.local (host-64-47-136-190.masergy.com [64.47.136.190]) (authenticated bits=0) by nagasaki.bogus.com (8.14.4/8.14.4) with ESMTP id p87GqUB4047744 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Wed, 7 Sep 2011 16:52:31 GMT (envelope-from joelja@bogus.com) Message-ID: <4E67A14A.60104@bogus.com> Date: Wed, 07 Sep 2011 09:52:26 -0700 From: Joel jaeggli User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: Phillip Hallam-Baker References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (nagasaki.bogus.com [147.28.0.81]); Wed, 07 Sep 2011 16:52:31 +0000 (UTC) Cc: saag@ietf.org Subject: Re: [saag] Recent attacks on CA infrastructure X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2011 16:50:43 -0000 On 9/7/11 08:45 , Phillip Hallam-Baker wrote: > It occurs to me that up till now the focus of the remediation efforts > have been focused on the question of protecting the CA infrastructure > from attack. While this is clearly necessary in itself, the ultimate > target of the attack is the social media infrastructure, not the CA > infrastructure. The apparent lack of professionalism among CA operators as far a prompt and responsible disclosure and remediation seems to be a significant a consideration consideration in the ongoing triage. As consumers of the technology we've made certain assumptions about the likelihood of compromise and the feasibility of remediation by parties in which trust has been placed which are not born out by what objectively has happened. From hallam@gmail.com Wed Sep 7 18:02:48 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3567021F8CA0 for ; Wed, 7 Sep 2011 18:02:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.457 X-Spam-Level: X-Spam-Status: No, score=-3.457 tagged_above=-999 required=5 tests=[AWL=0.141, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8i8y3PnOcYuY for ; Wed, 7 Sep 2011 18:02:47 -0700 (PDT) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5182421F85AB for ; Wed, 7 Sep 2011 18:02:47 -0700 (PDT) Received: by ywe9 with SMTP id 9so223498ywe.31 for ; Wed, 07 Sep 2011 18:04:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6MNbN2Jx54/MkjIzf0zOpZBqeA/QD4K58roWDzoL9wk=; b=MAEiq08KapUsslibymFu3hTg8k1QrbUtpj0PybGkV5MZzmR1X71C0CHINeOrS+JTdj hjy4AdPA1PRJ+1PNtcqfUxwZQIVueL106cSZJ1TVkFHdglIZDFDfkaGEhkJRRXdQjpY1 +4FefqpWk4UhfPoz+i2G2+iUL5AnjRk8tCv1g= MIME-Version: 1.0 Received: by 10.101.26.3 with SMTP id d3mr47638anj.105.1315443877787; Wed, 07 Sep 2011 18:04:37 -0700 (PDT) Received: by 10.101.114.9 with HTTP; Wed, 7 Sep 2011 18:04:37 -0700 (PDT) In-Reply-To: <4E67A14A.60104@bogus.com> References: <4E67A14A.60104@bogus.com> Date: Wed, 7 Sep 2011 21:04:37 -0400 Message-ID: From: Phillip Hallam-Baker To: Joel jaeggli Content-Type: multipart/alternative; boundary=001636b2b4f20eb8f804ac63a57a Cc: saag@ietf.org Subject: Re: [saag] Recent attacks on CA infrastructure X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2011 01:02:48 -0000 --001636b2b4f20eb8f804ac63a57a Content-Type: text/plain; charset=ISO-8859-1 Apart from the very latest incident, all the prior incidents were notified to the parties capable of performing remediation within a very short span. Public notice will inevitably come somewhat later given the current tools that we have for remediation. Beter tools for remediation are highly desirable. On Wed, Sep 7, 2011 at 12:52 PM, Joel jaeggli wrote: > On 9/7/11 08:45 , Phillip Hallam-Baker wrote: > > > It occurs to me that up till now the focus of the remediation efforts > > have been focused on the question of protecting the CA infrastructure > > from attack. While this is clearly necessary in itself, the ultimate > > target of the attack is the social media infrastructure, not the CA > > infrastructure. > > The apparent lack of professionalism among CA operators as far a prompt > and responsible disclosure and remediation seems to be a significant a > consideration consideration in the ongoing triage. > > As consumers of the technology we've made certain assumptions about the > likelihood of compromise and the feasibility of remediation by parties > in which trust has been placed which are not born out by what > objectively has happened. > > -- Website: http://hallambaker.com/ --001636b2b4f20eb8f804ac63a57a Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Apart from the very latest incident, all the prior incidents were notified = to the parties capable of performing remediation within a very short span.<= div>
Public notice will inevitably come somewhat later given = the current tools that we have for remediation. Beter tools for remediation= are highly desirable.


On Wed, Sep 7, 2011 at 12:52 PM, Jo= el jaeggli <joelja= @bogus.com> wrote:
On 9/7/11 08:45 , Phillip Hallam-Baker wrote:

> It occurs to me that up till now the focus of the remediation efforts<= br> > have been focused on the question of protecting the CA infrastructure<= br> > from attack. While this is clearly necessary in itself, the ultimate > target of the attack is the social media infrastructure, not the CA > infrastructure.

The apparent lack of professionalism among CA operators as far a prom= pt
and responsible disclosure =A0and remediation seems to be a significant a consideration consideration in the ongoing triage.

As consumers of the technology we've made certain assumptions about the=
likelihood of compromise and the feasibility of remediation by parties
in which trust has been placed which are not born out by what
objectively has happened.




--
Website: http://hallambaker.com/

--001636b2b4f20eb8f804ac63a57a-- From hotz@jpl.nasa.gov Wed Sep 7 18:41:50 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BB6C21F8BB0 for ; Wed, 7 Sep 2011 18:41:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RTRE5eItsbEU for ; Wed, 7 Sep 2011 18:41:49 -0700 (PDT) Received: from mail.jpl.nasa.gov (smtp.jpl.nasa.gov [128.149.139.109]) by ietfa.amsl.com (Postfix) with ESMTP id BCAF021F8BAE for ; Wed, 7 Sep 2011 18:41:49 -0700 (PDT) Received: from laphotz.jpl.nasa.gov (laphotz.jpl.nasa.gov [128.149.133.44]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Switch-3.4.3/Switch-3.4.3) with ESMTP id p881haJo026880 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Wed, 7 Sep 2011 18:43:37 -0700 Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Henry B. Hotz" In-Reply-To: Date: Wed, 7 Sep 2011 18:43:36 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4E67A14A.60104@bogus.com> To: Phillip Hallam-Baker X-Mailer: Apple Mail (2.1084) X-Source-IP: laphotz.jpl.nasa.gov [128.149.133.44] X-Source-Sender: hotz@jpl.nasa.gov X-AUTH: Authorized Cc: "saag@ietf.org" Subject: Re: [saag] Recent attacks on CA infrastructure X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2011 01:41:50 -0000 On Sep 7, 2011, at 6:04 PM, Phillip Hallam-Baker wrote: > Public notice will inevitably come somewhat later given the current = tools that we have for remediation. Beter tools for remediation are = highly desirable. Care to elaborate? Are we talking better internal traceability of = operations, or OCSP improvements, or what? Also someone needs to say this: Thanks to the CAs that stepped up and = acknowledged compromises and dealt with them! ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu From SChokhani@cygnacom.com Thu Sep 8 01:43:33 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02A3821F8B4E for ; Thu, 8 Sep 2011 01:43:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.456 X-Spam-Level: X-Spam-Status: No, score=-5.456 tagged_above=-999 required=5 tests=[AWL=1.143, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tgXgmlYL3zwN for ; Thu, 8 Sep 2011 01:43:32 -0700 (PDT) Received: from mail108.messagelabs.com (mail108.messagelabs.com [216.82.250.51]) by ietfa.amsl.com (Postfix) with ESMTP id 38CC721F8B8D for ; Thu, 8 Sep 2011 01:43:23 -0700 (PDT) X-Env-Sender: SChokhani@cygnacom.com X-Msg-Ref: server-4.tower-108.messagelabs.com!1315471514!19553338!1 X-Originating-IP: [216.191.252.21] X-StarScan-Version: 6.3.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 7062 invoked from network); 8 Sep 2011 08:45:15 -0000 Received: from sottexche1.entrust.com (HELO sottexchE1.entrust.com) (216.191.252.21) by server-4.tower-108.messagelabs.com with AES128-SHA encrypted SMTP; 8 Sep 2011 08:45:15 -0000 Received: from scygexch7.cygnacom.com (10.4.60.22) by sottexchE1.entrust.com (216.191.252.21) with Microsoft SMTP Server (TLS) id 8.2.254.0; Thu, 8 Sep 2011 04:44:53 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Thu, 8 Sep 2011 04:45:13 -0400 From: Santosh Chokhani To: "Henry B. Hotz" , Phillip Hallam-Baker Date: Thu, 8 Sep 2011 04:45:11 -0400 Thread-Topic: [saag] Recent attacks on CA infrastructure Thread-Index: AcxtyM5rzDbP2coiTMC0n43vKYbCyQAOlxuA Message-ID: References: <4E67A14A.60104@bogus.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "saag@ietf.org" Subject: Re: [saag] Recent attacks on CA infrastructure X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2011 08:43:33 -0000 Reliance on OCSP is not a good idea. The attacker could put their own OCSP Responder pointer in the minted certi= ficates. They could issue themselves a Delegated Responder certificate. T= hus, examining the legitimate OCSP Responder will be useless. There is scarier scenario of getting a sub CA certificate out of the compro= mised CA. There is even a scarier, albeit a bit harder idea of extracting the private= key from the HSM using side channels. Not all side channels require physi= cal access to the HSM. -----Original Message----- From: saag-bounces@ietf.org [mailto:saag-bounces@ietf.org] On Behalf Of Hen= ry B. Hotz Sent: Wednesday, September 07, 2011 9:44 PM To: Phillip Hallam-Baker Cc: saag@ietf.org Subject: Re: [saag] Recent attacks on CA infrastructure On Sep 7, 2011, at 6:04 PM, Phillip Hallam-Baker wrote: > Public notice will inevitably come somewhat later given the current tools= that we have for remediation. Beter tools for remediation are highly desir= able. Care to elaborate? Are we talking better internal traceability of operatio= ns, or OCSP improvements, or what? Also someone needs to say this: Thanks to the CAs that stepped up and ackn= owledged compromises and dealt with them! ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From lear@cisco.com Thu Sep 8 02:13:33 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71C3721F8B5A for ; Thu, 8 Sep 2011 02:13:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.601 X-Spam-Level: X-Spam-Status: No, score=-110.601 tagged_above=-999 required=5 tests=[AWL=-0.002, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RZZaGt-XIKKA for ; Thu, 8 Sep 2011 02:13:32 -0700 (PDT) Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id EC3B021F8B58 for ; Thu, 8 Sep 2011 02:13:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=lear@cisco.com; l=417; q=dns/txt; s=iport; t=1315473324; x=1316682924; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=FCxMuvtEhIViUoCEvb9PmzDpKdoKGhEsKZGmeZmAtB4=; b=eirvMwXywQwOJENsaFncgGTMXFFoYKBzbMYcFRzAEjKOepZNdaCpWc9G 5zLElxV6hHUpo61qPGvHn0Iymq75+vIBaQEVZ+B/U+Hb5mMRUH8vVvdTY 17lLik6FMv0cOejjvfe+KgTwLh5fXW4ATaA4qr21LLZUUbi/kT0uw5Gm2 E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAPOGaE6Q/khR/2dsb2JhbABChFWjHniBRgEBAQEDEgEQVhALGAICBSECAg8CRgYNAQcBAR6fOgGMN5FsgSyELoERBJMzkRg X-IronPort-AV: E=Sophos;i="4.68,349,1312156800"; d="scan'208";a="53725805" Received: from ams-core-1.cisco.com ([144.254.72.81]) by ams-iport-2.cisco.com with ESMTP; 08 Sep 2011 09:15:21 +0000 Received: from dhcp-10-61-97-89.cisco.com (dhcp-10-61-97-89.cisco.com [10.61.97.89]) by ams-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p889FKFA020039; Thu, 8 Sep 2011 09:15:20 GMT Message-ID: <4E68876A.80909@cisco.com> Date: Thu, 08 Sep 2011 11:14:18 +0200 From: Eliot Lear User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: Phillip Hallam-Baker References: <4E67A14A.60104@bogus.com> In-Reply-To: X-Enigmail-Version: 1.3.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: saag@ietf.org Subject: Re: [saag] Recent attacks on CA infrastructure X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2011 09:13:33 -0000 Phillip, Joel, On 9/8/11 3:04 AM, Phillip Hallam-Baker wrote: > Apart from the very latest incident, all the prior incidents were > notified to the parties capable of performing remediation within a > very short span. > > Beter tools for remediation are highly desirable. > Wouldn't it be nice if DANE had been completed and adopted two years ago? Good on Paul and others for their work here. Eliot From hallam@gmail.com Fri Sep 9 11:15:51 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8D2A21F8802 for ; Fri, 9 Sep 2011 11:15:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.461 X-Spam-Level: X-Spam-Status: No, score=-3.461 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzNQK6SCrZ+R for ; Fri, 9 Sep 2011 11:15:50 -0700 (PDT) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id B686D21F87FA for ; Fri, 9 Sep 2011 11:15:50 -0700 (PDT) Received: by ywa6 with SMTP id 6so204836ywa.31 for ; Fri, 09 Sep 2011 11:17:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xnsVrJU7I4Kb4KhC3JKR6A7DlmLXQsEPKsP8BdUftq0=; b=sqXpHjbXhIjRqvkw/LgbjnYt7ZvOM+N3eghrGblHP0Me02JGXs55ie0xH5wYPFj6Wi RsNX/EQdP3KZLOmupSTAmce9eWb/py4fi/ho6rar7SJPQFHAoEvAqXWGwhcDf+KkBiZ2 R0bI8afhoS0ZVvnbgx0JDdAQYCQfDipWfa1kM= MIME-Version: 1.0 Received: by 10.101.86.1 with SMTP id o1mr477162anl.29.1315592266118; Fri, 09 Sep 2011 11:17:46 -0700 (PDT) Received: by 10.101.114.9 with HTTP; Fri, 9 Sep 2011 11:17:46 -0700 (PDT) In-Reply-To: <4E68876A.80909@cisco.com> References: <4E67A14A.60104@bogus.com> <4E68876A.80909@cisco.com> Date: Fri, 9 Sep 2011 14:17:46 -0400 Message-ID: From: Phillip Hallam-Baker To: Eliot Lear Content-Type: multipart/alternative; boundary=001636eedf65b0f61104ac8631ae Cc: saag@ietf.org Subject: Re: [saag] Recent attacks on CA infrastructure X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2011 18:15:51 -0000 --001636eedf65b0f61104ac8631ae Content-Type: text/plain; charset=ISO-8859-1 It would be nice if they had listened to people in the industry about how it worked and produced something that we could use. On Thu, Sep 8, 2011 at 5:14 AM, Eliot Lear wrote: > Phillip, Joel, > > On 9/8/11 3:04 AM, Phillip Hallam-Baker wrote: > > Apart from the very latest incident, all the prior incidents were > > notified to the parties capable of performing remediation within a > > very short span. > > > > Beter tools for remediation are highly desirable. > > > > Wouldn't it be nice if DANE had been completed and adopted two years > ago? Good on Paul and others for their work here. > > Eliot > -- Website: http://hallambaker.com/ --001636eedf65b0f61104ac8631ae Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable It would be nice if they had listened to people in the industry about how i= t worked and produced something that we could use.

On Thu, Sep 8, 2011 at 5:14 AM, Eliot Lear <= lear@cisco.com> wrote:
Phillip, Joel,

On 9/8/11 3:04 AM, Phillip Hallam-Baker wrote:
> Apart from the very latest incident, all the prior incidents were
> notified to the parties capable of performing remediation within a
> very short span.
>
> Beter tools for remediation are highly desirab= le.
>

Wouldn't it be nice if DANE had been completed and adopted two ye= ars
ago? =A0Good on Paul and others for their work here.

Eliot



--
Websi= te: http://hallambaker.com/

--001636eedf65b0f61104ac8631ae-- From hallam@gmail.com Fri Sep 9 11:18:55 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2412721F8802 for ; Fri, 9 Sep 2011 11:18:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.463 X-Spam-Level: X-Spam-Status: No, score=-3.463 tagged_above=-999 required=5 tests=[AWL=0.135, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AG9Oobz8W-jM for ; Fri, 9 Sep 2011 11:18:54 -0700 (PDT) Received: from mail-gx0-f181.google.com (mail-gx0-f181.google.com [209.85.161.181]) by ietfa.amsl.com (Postfix) with ESMTP id 4D6FC21F8573 for ; Fri, 9 Sep 2011 11:18:54 -0700 (PDT) Received: by gxk9 with SMTP id 9so1483323gxk.40 for ; Fri, 09 Sep 2011 11:20:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ewRwYGxv7g+MfC556Tcr3ie/23yM1EkAZ0DuLb9w0nE=; b=Gdc+I94xIzFpySjcGaDOPcERrYolD2USHDaiIJ9tzyjDV30hDmE02/3eX/67kgbgux Koc3+B54d76xCGxZIMnChoprUE9cZcx69ADIV6/TihW41ZWdCOlYB0XTtKqrvrWN2IBD loDemGJDAbPsMQh0n005/2eRPHZ+LNuoapFmo= MIME-Version: 1.0 Received: by 10.100.129.6 with SMTP id b6mr2186663and.17.1315592449435; Fri, 09 Sep 2011 11:20:49 -0700 (PDT) Received: by 10.101.114.9 with HTTP; Fri, 9 Sep 2011 11:20:49 -0700 (PDT) In-Reply-To: References: <4E67A14A.60104@bogus.com> Date: Fri, 9 Sep 2011 14:20:49 -0400 Message-ID: From: Phillip Hallam-Baker To: Santosh Chokhani Content-Type: multipart/alternative; boundary=0016e640796a9e297304ac863cb0 Cc: "saag@ietf.org" Subject: Re: [saag] Recent attacks on CA infrastructure X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2011 18:18:55 -0000 --0016e640796a9e297304ac863cb0 Content-Type: text/plain; charset=ISO-8859-1 This would not be an OCSP token that had anything whatsoever to do with the issuer. OCSP was originally designed to allow status reporting for multiple certificate providers. That is what Valicert were plotting. So OCSP can be used as it stands to publish lists of certs that must not be trusted under any circumstance. The token would probably be validated against the same key used to check software updates (I really hope they check sigs on software updates). On Thu, Sep 8, 2011 at 4:45 AM, Santosh Chokhani wrote: > Reliance on OCSP is not a good idea. > > The attacker could put their own OCSP Responder pointer in the minted > certificates. They could issue themselves a Delegated Responder > certificate. Thus, examining the legitimate OCSP Responder will be useless. > > There is scarier scenario of getting a sub CA certificate out of the > compromised CA. > > There is even a scarier, albeit a bit harder idea of extracting the private > key from the HSM using side channels. Not all side channels require > physical access to the HSM. > > -----Original Message----- > From: saag-bounces@ietf.org [mailto:saag-bounces@ietf.org] On Behalf Of > Henry B. Hotz > Sent: Wednesday, September 07, 2011 9:44 PM > To: Phillip Hallam-Baker > Cc: saag@ietf.org > Subject: Re: [saag] Recent attacks on CA infrastructure > > > On Sep 7, 2011, at 6:04 PM, Phillip Hallam-Baker wrote: > > > Public notice will inevitably come somewhat later given the current tools > that we have for remediation. Beter tools for remediation are highly > desirable. > > Care to elaborate? Are we talking better internal traceability of > operations, or OCSP improvements, or what? > > Also someone needs to say this: Thanks to the CAs that stepped up and > acknowledged compromises and dealt with them! > ------------------------------------------------------ > The opinions expressed in this message are mine, > not those of Caltech, JPL, NASA, or the US Government. > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > -- Website: http://hallambaker.com/ --0016e640796a9e297304ac863cb0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable This would not be an OCSP token that had anything whatsoever to do with the= issuer.

OCSP was originally designed to allow status re= porting for multiple certificate providers. That is what Valicert were plot= ting.


So OCSP can be used as it stands to publ= ish lists of certs that must not be trusted under any circumstance. The tok= en would probably be validated against the same key used to check software = updates (I really hope they check sigs on software updates).

On Thu, Sep 8, 2011 at 4:45 AM, Santosh Chok= hani <SChokh= ani@cygnacom.com> wrote:
Reliance on OCSP is not a good idea.

The attacker could put their own OCSP Responder pointer in the minted certi= ficates. =A0They could issue themselves a Delegated Responder certificate. = =A0Thus, examining the legitimate OCSP Responder will be useless.

There is scarier scenario of getting a sub CA certificate out of the compro= mised CA.

There is even a scarier, albeit a bit harder idea of extracting the private= key from the HSM using side channels. =A0Not all side channels require phy= sical access to the HSM.

-----Original Message-----
From: saag-bounces@ietf.org [m= ailto:saag-bounces@ietf.org] O= n Behalf Of Henry B. Hotz
Sent: Wednesday, September 07, 2011 9:44 PM
To: Phillip Hallam-Baker
Cc: saag@ietf.org
Subject: Re: [saag] Recent attacks on CA infrastructure


On Sep 7, 2011, at 6:04 PM, Phillip Hallam-Baker wrote:

> Public notice will inevitably come somewhat later given the current to= ols that we have for remediation. Beter tools for remediation are highly de= sirable.

Care to elaborate? =A0Are we talking better internal traceability of operat= ions, or OCSP improvements, or what?

Also someone needs to say this: =A0Thanks to the CAs that stepped up and ac= knowledged compromises and dealt with them!
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov,= or hbhotz@oxy.edu



_______________________________________________
saag mailing list
saag@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/saag



--
Website: http://hallambaker.com/

--0016e640796a9e297304ac863cb0-- From pgut001@login01.cs.auckland.ac.nz Fri Sep 9 14:21:35 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CE4821F8715 for ; Fri, 9 Sep 2011 14:21:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.567 X-Spam-Level: X-Spam-Status: No, score=-3.567 tagged_above=-999 required=5 tests=[AWL=0.032, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uNJNGC1Mp1Nr for ; Fri, 9 Sep 2011 14:21:34 -0700 (PDT) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfa.amsl.com (Postfix) with ESMTP id E377D21F85EF for ; Fri, 9 Sep 2011 14:21:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1315603410; x=1347139410; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20hallam@gmail.com,=20SChokhani@cygnacom.com |Subject:=20Re:=20[saag]=20Recent=20attacks=20on=20CA=20i nfrastructure|Cc:=20saag@ietf.org|In-Reply-To:=20|Message-Id:=20|Date:=20Sat,=2010=20Sep=202011=2009:23:16=20+12 00; bh=ItpzWzSMam49Y7d9t+OcuzmxcA8p4arXLFLt+lZdapg=; b=Bp+icjheMwOaK1qeBrCRLbPLjLFkhx15MF14I6T1PPKDyTsArksGNtLX rkRAPPPQDuKfP5PSnZPzMB/xOvlQsRVUF3y+FdYeNlqk1wT6e5CMN2u0e pD7665vbMDLWJvh/U0s9pzwYTFol//JZ7ii9e64OrHMKjuUOz1nmSs6Bt U=; X-IronPort-AV: E=Sophos;i="4.68,358,1312113600"; d="scan'208";a="82753869" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 10 Sep 2011 09:23:16 +1200 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1R28Xc-0000Zj-IC; Sat, 10 Sep 2011 09:23:16 +1200 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1R28Xc-0007mg-JM; Sat, 10 Sep 2011 09:23:16 +1200 From: Peter Gutmann To: hallam@gmail.com, SChokhani@cygnacom.com In-Reply-To: Message-Id: Date: Sat, 10 Sep 2011 09:23:16 +1200 Cc: saag@ietf.org Subject: Re: [saag] Recent attacks on CA infrastructure X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2011 21:21:35 -0000 Phillip Hallam-Baker writes: >OCSP was originally designed to allow status reporting for multiple >certificate providers. That is what Valicert were plotting. It's a bit more complex than that, it was designed to codify the somewhat mutually exclusive business models of the three main contributors to it. It's for this reason that it's been described as "schizophrenic" in the past, try figuring out what the trust model is supposed to be for example. Peter. From turners@ieca.com Wed Sep 21 10:51:18 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674FB11E80AD for ; Wed, 21 Sep 2011 10:51:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.264 X-Spam-Level: X-Spam-Status: No, score=-101.264 tagged_above=-999 required=5 tests=[AWL=-0.525, BAYES_20=-0.74, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQ-dD2NqHuQU for ; Wed, 21 Sep 2011 10:51:18 -0700 (PDT) Received: from nm29.bullet.mail.sp2.yahoo.com (nm29.bullet.mail.sp2.yahoo.com [98.139.91.99]) by ietfa.amsl.com (Postfix) with SMTP id F0B1F11E80AA for ; Wed, 21 Sep 2011 10:51:17 -0700 (PDT) Received: from [98.139.91.69] by nm29.bullet.mail.sp2.yahoo.com with NNFMP; 21 Sep 2011 17:53:43 -0000 Received: from [98.139.91.20] by tm9.bullet.mail.sp2.yahoo.com with NNFMP; 21 Sep 2011 17:53:43 -0000 Received: from [127.0.0.1] by omp1020.mail.sp2.yahoo.com with NNFMP; 21 Sep 2011 17:53:43 -0000 X-Yahoo-Newman-Id: 917826.57244.bm@omp1020.mail.sp2.yahoo.com Received: (qmail 7087 invoked from network); 21 Sep 2011 17:53:43 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1316627623; bh=KDhskeGVBg4ZEBD37KdVzLH7GekVoeF2wEIy8jHZ8R0=; h=X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding; b=xk43XYDyJmwA3sPDVdRI8jFSwXzV1SP5+VlTKUHNTFjx+6PSq87h57yW0IAVhO3oEVSndwKP3xkIqeawGrkoovnsFkBpXBRFZe8iA0UY1tYfEmVAW1BaWwUhlvnBSVPRcFxic5zF1mknYBzFpMVqxHo9MO4mdB6sUdC4STGFII4= X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: QCaaZk0VM1lllBP5ELJz67WwCL06hY3odnGNBoCblV6HieE nkzWXYYNbFpZkSeH.yerS6m98jHbUkMg9oBOdigxxGE98vEv4It37ZA5QQoC 776TzwViZESrGaZeptWJMCu72OJPK7O.Bd0e2SmJJq5j1TU2_Ij4FbTzpSmZ t5hTTk5eHwgjq61wvvS0IKxWUTaAUuByfFxXviHQ_teUvHnMqKn0WT3_CESV TyhtQQe5sBwaCGRx192Z6BNcLd_sCTxMR_ThIt79lsUC7.o.FCmrXr9T8dgQ Jni7EdK5ntLGfZOnnz3rDR7jGusErP_g2jb9RN6XW5djfxyQVYX4jw1T6EXP HYGpx2CyfTlMU9vpb5Q8s6eRCPejlTkEeq9.ba0Wixabf877TgPtCrQFDCbr HcT6xHNibl9lYOTqRvzDH1sLCm6D8wa6fZugLY1ZSSGmBM5kzwxdSzRQl.0R _Up8vgPDDNQ4YGX1FpL1iBNNtclMDqJgo5WqTpUygW11npTqraOK2cDXqoxj jQbfs4MO06QSNOhtMoElmCWLu3dWf X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ Received: from thunderfish.local (turners@96.231.116.178 with plain) by smtp114.biz.mail.sp1.yahoo.com with SMTP; 21 Sep 2011 10:53:43 -0700 PDT Message-ID: <4E7A1B43.6090704@ieca.com> Date: Wed, 21 Sep 2011 13:13:39 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: saag@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [saag] MILE charter discussions X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 17:51:18 -0000 MILE had a side meeting in Quebec. They've gotten a mailing list going and have been discussing a proposed charter: http://www.ietf.org/mail-archive/web/mile/current/msg00132.html There are also some drafts: http://datatracker.ietf.org/doc/search/?name=-mile-&activeDrafts=on&search_submit= I've placed this on tomorrow's telechat for internal review (i.e., IESG and IAB review). It'll definitely go out for external review (i.e., IETF-wide review and others), but I wanted to see if the saag members had any early comments. spt From stephen.farrell@cs.tcd.ie Fri Sep 23 07:00:29 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3323621F8C86 for ; Fri, 23 Sep 2011 07:00:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.366 X-Spam-Level: X-Spam-Status: No, score=-106.366 tagged_above=-999 required=5 tests=[AWL=0.233, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TkjJicyonV8X for ; Fri, 23 Sep 2011 07:00:28 -0700 (PDT) Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by ietfa.amsl.com (Postfix) with ESMTP id E8D6121F8C84 for ; Fri, 23 Sep 2011 07:00:27 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 5944D171CEC for ; Fri, 23 Sep 2011 15:02:58 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1316786577; bh=i/ua4s4aUGLGUD VdwWbQvqziy1zI3Ra6eV7/+C9wjyI=; b=NoRTjgk3JJkzblWzMmQHD+bczYR07r grtASVuMnCiXwTJSy6WQzBpdEVQqW8R6EbCFGMS2pAybEdG55O3SY3ju/zUBXkKV /JN4ahhZjow7BZZ/Es6oTb9H0hg33cxl/OlurF4fOkRYIPav+lKYUx5OS/2Tz2+C hekXvOxhSJAMM+O4Z3YsH9tgqch1GkmzIDi3s7zWTyUQA34WUlOmKG4rcAdISClb 9AtqJntc8Q5fIitmMhzCrVHb0MbXXWX0sq3EJ1eE90mQAnjNT/sAZYzfT+I2y4p4 m1H0ycMSeSVwkEA4Goe7Teudox4qP0putoIEFd/ghJEnviv6kvEzjwoA== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id ugFIEeoZWzvt for ; Fri, 23 Sep 2011 15:02:57 +0100 (IST) Received: from [10.87.48.8] (unknown [86.46.30.134]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 2393F171CEE for ; Fri, 23 Sep 2011 15:02:57 +0100 (IST) Message-ID: <4E7C9190.2020101@cs.tcd.ie> Date: Fri, 23 Sep 2011 15:02:56 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: "saag@ietf.org" References: <20110923135222.2358.59148.idtracker@ietfa.amsl.com> In-Reply-To: <20110923135222.2358.59148.idtracker@ietfa.amsl.com> X-Forwarded-Message-Id: <20110923135222.2358.59148.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [saag] Fwd: Last Call: (Recommendations for the Remediation of Bots in ISP Networks) to Informational RFC X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2011 14:00:29 -0000 FYI - some folks on here commented on this previously and I'd be interested to know of any remaining last call comments. Thanks, S. -------- Original Message -------- Subject: Last Call: (Recommendations for the Remediation of Bots in ISP Networks) to Informational RFC Date: Fri, 23 Sep 2011 06:52:22 -0700 From: The IESG Reply-To: ietf@ietf.org To: IETF-Announce The IESG has received a request from an individual submitter to consider the following document: - 'Recommendations for the Remediation of Bots in ISP Networks' as an Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2011-10-21. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document contains recommendations on how Internet Service Providers can manage the effects of computers used by their subscribers, which have been infected with malicious bots, via various remediation techniques. Internet users with infected computers are exposed to risks such as loss of personal data, as well as increased susceptibility to online fraud and/or phishing. Such computers can also become an inadvertent participant in or component of an online crime network, spam network, and/or phishing network, as well as be used as a part of a distributed denial of service attack. Mitigating the effects of and remediating the installations of malicious bots will make it more difficult for botnets to operate and could reduce the level of online crime on the Internet in general and/or on a particular Internet Service Provider's network. The file can be obtained via http://datatracker.ietf.org/doc/draft-oreirdan-mody-bot-remediation/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-oreirdan-mody-bot-remediation/ No IPR declarations have been submitted directly on this I-D. _______________________________________________ IETF-Announce mailing list IETF-Announce@ietf.org https://www.ietf.org/mailman/listinfo/ietf-announce From rgm-sec@htt-consult.com Fri Sep 23 10:32:21 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56B3421F8C83 for ; Fri, 23 Sep 2011 10:32:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fFwJBI3Xs2V for ; Fri, 23 Sep 2011 10:32:20 -0700 (PDT) Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by ietfa.amsl.com (Postfix) with ESMTP id A541D21F8C6A for ; Fri, 23 Sep 2011 10:32:20 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 8F1A362B8B for ; Fri, 23 Sep 2011 17:34:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at localhost Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o32aLWBUA6nm for ; Fri, 23 Sep 2011 13:34:06 -0400 (EDT) Received: from nc2400.htt-consult.com (nc2400.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm-sec@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id A072C62B81 for ; Fri, 23 Sep 2011 13:34:06 -0400 (EDT) Message-ID: <4E7CC30C.10305@htt-consult.com> Date: Fri, 23 Sep 2011 13:34:04 -0400 From: Robert Moskowitz User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.20) Gecko/20110817 Fedora/3.1.12-1.fc14 Thunderbird/3.1.12 MIME-Version: 1.0 To: saag@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [saag] Follow up on IEEE 802.15 Key Management X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2011 17:32:21 -0000 This week the PAR for KMP passed within 802.15: https://mentor.ieee.org/802.15/dcn/11/15-11-0613-03-0kmp-key-management-protocol-par.doc https://mentor.ieee.org/802.15/dcn/11/15-11-0665-03-0kmp-kmp-5c-draft.doc In the PAR we are requesting the creation of a Recommended Practice that will be identified as 802.15.8. Next step is to get IEEE 802 approval which will be at the Atlanta meeting week prior to IETF. For all the current documents for the KMPIG: https://mentor.ieee.org/802.15/documents?is_group=0kmp In particular https://mentor.ieee.org/802.15/dcn/11/15-11-0650-00-0kmp-kmp-for-802-15.ppt GIves the latest thoughts on how the shim will work and how the document will be structured. From alper.yegin@yegin.org Wed Sep 28 11:33:45 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6615A21F8D50; Wed, 28 Sep 2011 11:33:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cx-D79SZ5Qu4; Wed, 28 Sep 2011 11:33:44 -0700 (PDT) Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by ietfa.amsl.com (Postfix) with ESMTP id 9370321F8D39; Wed, 28 Sep 2011 11:33:44 -0700 (PDT) Received: from [192.168.2.109] (dsl88-247-34762.ttnet.net.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0M3z0U-1QquD81qCI-00rlIO; Wed, 28 Sep 2011 14:36:32 -0400 Mime-Version: 1.0 (Apple Message framework v1244.3) Content-Type: text/plain; charset=us-ascii From: Alper Yegin In-Reply-To: <4E7CC30C.10305@htt-consult.com> Date: Wed, 28 Sep 2011 21:36:27 +0300 Content-Transfer-Encoding: quoted-printable Message-Id: <9F3F4978-B966-4074-B96A-A2C2ED879F6A@yegin.org> References: <4E7CC30C.10305@htt-consult.com> To: Robert Moskowitz X-Mailer: Apple Mail (2.1244.3) X-Provags-ID: V02:K0:rS3d/j+wg8RFC4PS5+afQy4uxcdI7CTPdzueABIvEzW wj08MUGKxc+kiuUsbaUfzr1tMwCYp2yOE2HIk/iioxRNHr1jBv fbdkYQhtl1vHAim3isFnrsb2N7wfLbq6gEzZOsNABPx61RKGxB whc/E5ZB5C/6vGKv7Zs26x1iDDehmPa70nmi96hCwPVlofwuEY kIUVmNUmBpzhycO63hRU1kb1rGFOH2Qi14sStyXKBBpEKFQWdp sS6NTcOMxAVpwVRu4OHyf/PH+I9rYoa+Rx5wRkP3DShV6DxMp+ j+HfI4xO0LUXK+30aSL//s/xvnR1DFpnHB4jDjoQHQ/wvXwxRb TiViEOh3nOmKY9uKktDetuvj+C5NaII/7pFHuqD6l8lmTEkygm dLGZv7uXtwzaw== Cc: 6lowpan@ietf.org, saag@ietf.org Subject: Re: [saag] Follow up on IEEE 802.15 Key Management X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2011 18:33:45 -0000 Hi Bob, As you know, Zigbee Alliance has already adopted EAP/PANA for network = access authentication and key agreement for Smart Energy Profile 2.0. Is the problem you are seeking to solve the same problem, or a different = one? Thanks. Alper On Sep 23, 2011, at 8:34 PM, Robert Moskowitz wrote: > This week the PAR for KMP passed within 802.15: >=20 > = https://mentor.ieee.org/802.15/dcn/11/15-11-0613-03-0kmp-key-management-pr= otocol-par.doc > = https://mentor.ieee.org/802.15/dcn/11/15-11-0665-03-0kmp-kmp-5c-draft.doc >=20 > In the PAR we are requesting the creation of a Recommended Practice = that will be identified as 802.15.8. >=20 > Next step is to get IEEE 802 approval which will be at the Atlanta = meeting week prior to IETF. >=20 > For all the current documents for the KMPIG: >=20 > https://mentor.ieee.org/802.15/documents?is_group=3D0kmp >=20 > In particular >=20 > = https://mentor.ieee.org/802.15/dcn/11/15-11-0650-00-0kmp-kmp-for-802-15.pp= t >=20 > GIves the latest thoughts on how the shim will work and how the = document will be structured. >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From alper.yegin@yegin.org Thu Sep 29 12:37:42 2011 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7274F1F0C4F; Thu, 29 Sep 2011 12:37:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jjJWwlSpz7df; Thu, 29 Sep 2011 12:37:41 -0700 (PDT) Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by ietfa.amsl.com (Postfix) with ESMTP id 851341F0C4E; Thu, 29 Sep 2011 12:37:41 -0700 (PDT) Received: from [192.168.2.109] (dsl88-247-34762.ttnet.net.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis) id 0LqhqM-1Qezja2viM-00eRy0; Thu, 29 Sep 2011 15:40:32 -0400 Mime-Version: 1.0 (Apple Message framework v1244.3) Content-Type: text/plain; charset=us-ascii From: Alper Yegin In-Reply-To: <4E83C7A6.4020008@blindcreek.com> Date: Thu, 29 Sep 2011 22:40:27 +0300 Content-Transfer-Encoding: quoted-printable Message-Id: <709DC625-A433-4DDC-9505-D9DD7180B93E@yegin.org> References: <4E7CC30C.10305@htt-consult.com> <9F3F4978-B966-4074-B96A-A2C2ED879F6A@yegin.org> <4E83C7A6.4020008@blindcreek.com> To: Benjamin A. Rolfe X-Mailer: Apple Mail (2.1244.3) X-Provags-ID: V02:K0:wvIj2dU+IWQQDr8WVuT8YRc+owYF4q2P61MOu0YjPrM 8yBDHnlqpijJAO6CusNyE/kiKyGCS8FPOXc6r+BF7OZfU74YTk q5EoHGYdBeco0aSNCrITO8+MfCHBhl1RpoZCEl6AOa6GPAZE6x ffHDjN6foaijVpGyMoC9j5/pOLfmx6XH2IU0JczOuiMFQfFWBE qufo+y77PkARZoaBet+WI7TmU5x3wlmTSZu5i9B4SN+WnI1obA RDjFJI3wyWIZnnEZJQfa1T4Oej48/CNs0HBGoR/3Z4jljGj9FB 5FqFLtWtRShkD7IHlPVI9dIqhJ0wAQxKoGEA7zZnOL6voaGJxu 4MxYIPPy/5EgihnbSbhcqp9XT/V8/lL2xl59kKXSKC4R5nPY2h BNvI5v3jXfe5g== Cc: 6lowpan@ietf.org, saag@ietf.org Subject: Re: [saag] [6lowpan] Follow up on IEEE 802.15 Key Management X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2011 19:37:42 -0000 Thank you. I think it'd be useful for IETF community to understand what those 5/6 = distinct standards, and if the KMP being sought would be a generic = solution or specific to each one of them. PANA being used for one of = them already, I wonder whether it applies to the others or not. Any = ideas on that? On Sep 29, 2011, at 4:19 AM, Benjamin A. Rolfe wrote: > There is an obvious difference in scope: The scope of the ZigBee SEP = profile is specifically Demand > Response and Load Management applications. ZigBee uses IEEE = P802.15.4-2003. The scope of the referenced PAR includes all current = members of the 802.15 family of standards, which includes 5 distinct MAC = and PHY standards (soon to be 6). >=20 > I'm sure Bob can elaborate further. >=20 > Hope that helps. >=20 > Regards >=20 > -Ben >=20 >=20 >=20 >=20 >> Hi Bob, >>=20 >> As you know, Zigbee Alliance has already adopted EAP/PANA for network = access authentication and key agreement for Smart Energy Profile 2.0. >>=20 >> Is the problem you are seeking to solve the same problem, or a = different one? >>=20 >> Thanks. >>=20 >> Alper >>=20 >>=20 >>=20 >>=20 >>=20 >> On Sep 23, 2011, at 8:34 PM, Robert Moskowitz wrote: >>=20 >>> This week the PAR for KMP passed within 802.15: >>>=20 >>> = https://mentor.ieee.org/802.15/dcn/11/15-11-0613-03-0kmp-key-management-pr= otocol-par.doc >>> = https://mentor.ieee.org/802.15/dcn/11/15-11-0665-03-0kmp-kmp-5c-draft.doc >>>=20 >>> In the PAR we are requesting the creation of a Recommended Practice = that will be identified as 802.15.8. >>>=20 >>> Next step is to get IEEE 802 approval which will be at the Atlanta = meeting week prior to IETF. >>>=20 >>> For all the current documents for the KMPIG: >>>=20 >>> https://mentor.ieee.org/802.15/documents?is_group=3D0kmp >>>=20 >>> In particular >>>=20 >>> = https://mentor.ieee.org/802.15/dcn/11/15-11-0650-00-0kmp-kmp-for-802-15.pp= t >>>=20 >>> GIves the latest thoughts on how the shim will work and how the = document will be structured. >>>=20 >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag >> _______________________________________________ >> 6lowpan mailing list >> 6lowpan@ietf.org >> https://www.ietf.org/mailman/listinfo/6lowpan >>=20 >=20 > _______________________________________________ > 6lowpan mailing list > 6lowpan@ietf.org > https://www.ietf.org/mailman/listinfo/6lowpan