Stephen Farrell has entered the following ballot position for draft-ietf-dnsop-5966bis-05: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-5966bis/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Don't we need text warning that TFO is likely problematic with DNS privacy and that attacks that try to prepend information (via TFO) to otherwise secured sessions could occur? While that might sound a bit far-fetched we have seen exactly that kind of issue with HTTPS that had practical impact on Webdav. (The TLS renego and then triple handshake attacks.) So while using TFO may not enable a slam-dunk CVE level 10 attack, I think you do need to consider and talk about it. (Or maybe you did and figured out no attack can work, but then I'd guess you'd be so happy, you'd say that too:-) I'm not sure how this'd best be resolved, but one thing might be to talk to the folks thinking about TCPINC as they have at least hit this as a potential issue for tcpcrypt and for tcp-use-tls. Otherwise, this is a fine document on which I'll ballot yes when the above is sorted. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop