I am fine with this text.
Thanks,
Yaron
On 08/29/2014 11:55 PM, Leif Johansson wrote:
So absent other commentary, I believe the first paragraph should go in the
document:
===
2.9 STARTTLS Command Injection Attack (CVE-2011-0411)
A number of IETF application protocols have used an application-level command,
usually STARTTLS, to upgrade a clear-text connection to use TLS. Multiple
implementations of STARTTLS had a flaw where an application-layer input buffer
retained commands that were pipelined with the STARTTLS command, such that
commands received prior to TLS negotiation are executed after TLS negotiation.
This problem is resolved by requiring the application-level command input
buffer to be empty before negotiating TLS. Note that this flaw lives in the
application layer code and does not impact the TLS protocol directly.
===
This is an important motivation for design decisions in:
http://tools.ietf.org/html/draft-newman-email-deep-02
Speaking as an individual that seems reasonable. Yaron? Others?
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
