[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt

To: <arikf@xxxxxxxxxxxxxxxxx>, <ipsec@xxxxxxxx>
Subject: RE: [Ipsec] FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt
From: Black_David@xxxxxxx
Date: Thu, 30 Nov 2006 16:47:10 -0500
Cc:
In-reply-to: <0J9I004QA59AFAC0@xxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: owner-ietf-ipsec@xxxxxxxxxxxxx
Thread-index: AccT2huFdNQqEhZZRu2qiDvP2FEs0gA7Qz/g
Thread-topic: [Ipsec] FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt

Arik,

The Security Considerations section notes the dependence
of the "short term" property on security gateway clocks,
but doesn't seem to cover all the cases needed to prevent
problems here - all it says is that:
	1) If there are multiple security gateways
	2) Then their clocks SHOULD be synchronized
I think there is room for improvement in both aspects.

1) Gateway clocks have to be protected even if there's
only a single gateway.  If an attacker can roll a security
gateway's clock back, the attacker has extended the
validity of short term certificates, even if there's only
one gateway.  I suggest that all gateway clocks MUST be
protected against rollback, and in addition, the time
span of certificate validity (notBefore to notAfter) in
short term certificates SHOULD be limited (limit TBD) to
cap the benefit from a single clock rollback event.

2) The general "SHOULD" is a bit weak.  As a strawman I'd
suggest that if the STC_LIFETIME attribute is used
(indicating a concern about problems caused by lack of
clock synchronization with the client), then the security
gateway clocks MUST be synchronized in some fashion -
the current text that provides examples but does not
require a specific method to be used is fine.

Thanks,
--David
----------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david@xxxxxxx        Mobile: +1 (978) 394-7754
----------------------------------------------------

> -----Original Message-----
> From: Arik Friedman [mailto:arikf@xxxxxxxxxxxxxxxxx] 
> Sent: Wednesday, November 29, 2006 12:16 PM
> To: ipsec@xxxxxxxx
> Subject: [Ipsec] FW: I-D 
> ACTION:draft-friedman-ike-short-term-certs-00.txt
> 
> Hello, 
> 
> We would appreciate any comments you may have regarding this 
> draft, either
> privately or to the IPSec mailing list.
> 
> Thanks,
> 	Arik Friedman.

_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt
  - From: Arik Friedman

Prev by Date: Need some help?
Next by Date: Axis Technologies (AXTG) Estimates $5 million in Revenue from Exclusive Distribution Agreement with Brite Lights of Canada...
Previous by thread: [Ipsec] FW: I-D ACTION:draft-friedman-ike-short-term-certs-00.txt
Next by thread: pigs
Index(es):
- Date
- Thread