From sethomso@cisco.com Tue Jan 11 15:22:19 2011 Return-Path: X-Original-To: nea@core3.amsl.com Delivered-To: nea@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A18523A659C for ; Tue, 11 Jan 2011 15:22:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.599 X-Spam-Level: X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hxAGth-qhCzg for ; Tue, 11 Jan 2011 15:22:18 -0800 (PST) Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id AB1B33A6403 for ; Tue, 11 Jan 2011 15:22:18 -0800 (PST) Authentication-Results: rtp-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AigHACN1LE2tJXG//2dsb2JhbACWKo4Rc6QlmF+FTASEZ4lL Received: from rcdn-core2-4.cisco.com ([173.37.113.191]) by rtp-iport-1.cisco.com with ESMTP; 11 Jan 2011 23:24:36 +0000 Received: from xbh-rcd-101.cisco.com (xbh-rcd-101.cisco.com [72.163.62.138]) by rcdn-core2-4.cisco.com (8.14.3/8.14.3) with ESMTP id p0BNOa9t011023 for ; Tue, 11 Jan 2011 23:24:36 GMT Received: from xmb-rcd-105.cisco.com ([72.163.62.147]) by xbh-rcd-101.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 11 Jan 2011 17:24:35 -0600 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 11 Jan 2011 17:24:33 -0600 Message-ID: <043901FAFD488D44ACC9CCED00470BDC03E1ABBA@XMB-RCD-105.cisco.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Re: Verifying consensus on mitigating NEA Asokan attack Thread-Index: Acub43NBfcip3s2JTJyk6DTTb7ev/gV7pjew From: "Susan Thomson (sethomso)" To: X-OriginalArrivalTime: 11 Jan 2011 23:24:35.0847 (UTC) FILETIME=[B5A7F970:01CBB1E6] Subject: Re: [Nea] Verifying consensus on mitigating NEA Asokan attack X-BeenThere: nea@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Endpoint Assessment discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2011 23:22:19 -0000 I have seen 3 messages (2 public, one private) in support of the design team's recommended approach to the NEA Asokan attack. No concerns have been expressed. Based on the consensus checks taken in the last WG meeting and on the mailing list, I declare consensus for incorporating this approach into the PT proposals. Thanks Susan -----Original Message----- From: Susan Thomson (sethomso)=20 Sent: Tuesday, December 14, 2010 6:06 PM To: nea@ietf.org Subject: Verifying consensus on mitigating NEA Asokan attack At IETF79, the design team responsible for evaluating counter- measures to the NEA Asokan attack reported their findings to the=20 NEA WG.=20 The recommended approach is to use "tls-unique" Channel Binding=20 defined in RFC5929 to bind the Posture Transport to the entity(*)=20 at the PA layer that is authenticating the posture attributes.=20 "tls-unique" is the content of the first Finished message in the=20 TLS handshake. The advantage of this proposal over the other=20 approaches evaluated is that it works with any ciphersuite, and it=20 binds to a specific TLS connection. There was unanimous consensus at the meeting to adopt this=20 proposal. (*) Referred to as External Measurement Agent (EMA) in the design=20 team's report. The chairs would like to verify this consensus on the mailing=20 list. Please review the proposal and respond by Monday, 5pm PT on=20 Dec 20. Indicate in your response whether you support the changes.=20 If you support the changes, a one word response ("Support") is=20 sufficient. If not, please explain your concerns and suggest how=20 they could be resolved. Links to information describing the NEA Asokan attack, the=20 analysis done by the design team, and the meeting materials are=20 below. Thanks Susan -------------------- NOTE: draft-salowey-nea-asokan-00.txt describes 2 of the three=20 proposals evaluated by the design team. The recommended approach=20 was developed after the I-D was posted and is described in the=20 meeting slides. IETF79 meeting slides (8-20): http://tools.ietf.org/wg/nea/agenda IETF79 meeting minutes: http://tools.ietf.org/wg/nea/minutes Design team report: http://tools.ietf.org/id/draft-salowey-nea- asokan-00.txt NEA Asokan attack: http://www.ietf.org/mail- archive/web/nea/current/msg01080.html