On 2014-08-30 08:39, Yaron Sheffer wrote: > I am fine with this text. >
OK then I think its fine for you to deal with this as any WGLC comment - just include it in your final IETF-LC version. > Thanks, > Yaron > > On 08/29/2014 11:55 PM, Leif Johansson wrote: >> >>> So absent other commentary, I believe the first paragraph should go >>> in the >>> document: >>> >>> === >>> 2.9 STARTTLS Command Injection Attack (CVE-2011-0411) >>> >>> A number of IETF application protocols have used an application-level >>> command, >>> usually STARTTLS, to upgrade a clear-text connection to use TLS. >>> Multiple >>> implementations of STARTTLS had a flaw where an application-layer >>> input buffer >>> retained commands that were pipelined with the STARTTLS command, such >>> that >>> commands received prior to TLS negotiation are executed after TLS >>> negotiation. >>> This problem is resolved by requiring the application-level command >>> input >>> buffer to be empty before negotiating TLS. Note that this flaw lives >>> in the >>> application layer code and does not impact the TLS protocol directly. >>> === >>> >>> This is an important motivation for design decisions in: >>> http://tools.ietf.org/html/draft-newman-email-deep-02 >>> >> >> Speaking as an individual that seems reasonable. Yaron? Others? >> > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
