Dear Dan, Thanks alot for your suggestions. I am working on a new draft version which will include your suggestions I will hopefully submit it after the IETF is opened again for submissions. For the attacks, as I am finalizing now the PowerDNS CGA-TSIG, I will test all known attacks againstn this implementation and publish the list of attacks that it can prevent and the possible attcaks that it cannot prevent.
Thank you, Hosnieh From: Dan York [mailto:[email protected]] Sent: Tuesday, November 06, 2012 8:14 PM To: Rafiee, Hosnieh Cc: [email protected] Subject: Re: Please send me your comments (CGA-TSIG) Hosnieh, Would you please send me your comments on our draft (presentation today) to my email address, so that I can review them and provide you with answers. Two suggestions/comments to you: 1. I would suggest that you add a section titled something like "Problem Statement" at the beginning after the Introduction and Conventions sections and before the "Algorithm Overview" that explains in more detail the problem you are trying to solve. You have a bit of this in the Introduction and more in the "Security Considerations" section at the end, but I would suggest bringing it all together in a section that explains why people would use your proposal. You might want to have several sub-sections that enumerate different use cases (as you have done in the current Security Considerations section) and explain how CGA-TSIG would address those solutions. You might also want to briefly note in here situations that are NOT solved by CGA-TSIG. It seemed to me from listening to the IETF85 discussion that this point of what problem precisely you are trying to solve was hard for a number of people (myself included) to easily understand. 2. The section currently titled "Security Considerations" seems to actually be some of the potential use cases for CGA-TSIG. In my view, this section should really be about security considerations *related to* your CGA-TSIG proposal. I would suggest moving these use cases to the new section I suggest you create in my earlier point. I would then suggest outlining in this Security Considerations section points such as: - how can CGA-TSIG be attacked? - can CGA-TSIG be spoofed? - are there other network considerations that need to be in place for CGA-TSIG to be secure? - do the use of these addresses provide any added privacy benefits? I'm just making these questions up, but you get the idea.... if you think like an attacker, how can he or she break CGA-TSIG or potentially use it for nefarious purposes? Regards, Dan -- Dan York [email protected]<mailto:[email protected]> http://www.danyork.me/<http://www.danyork.com/> skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
