FYI Begin forwarded message:
From: Ben Laurie <[email protected]<mailto:[email protected]>> Subject: Re: [secdir] Fwd: RE: SecDir review of draft-williams-websec-session-continue-prob-00 Date: February 7, 2013 3:58:27 AM GMT+02:00 To: Stephen Farrell <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Not really a proper review, but some thoughts: " 4. Resistance to active attacks on https. [NOTE: This should probably NOT be a requirement. Instead we should be happy to note where a proposed protocol provides this.]" I'm very confused by this point, but... a) What active attacks? Need to specify them. b) If there are active attacks that are actually effective (surely not?) that can be avoided by these protocols, then avoidance should be compulsory. And then... " 8. Session continuation must provide protection against man-in-the- middle (MITM) attacks when using TLS. (This is important when using anonymous Diffie-Hellman cipher suites for TLS, as well as when using server certificates from low-value Public Key Infrastructures (PKI)." Seems to be a couple of examples of what they're talking about. " 10. Must work across all types of proxies. Proxies that can modify the plaintext HTTP requests and responses can (but should not) interfere with any session continuation protocol." A man-in-the-middle is a type of proxy, so this seems like an unsatisfiable requirement.
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
