Dick Hardt wrote:
On 3-Mar-06, at 12:00 PM, Robert Yates wrote:
I understand the compromise and yes, so monster can verify messages
from acme, but how does acme verify messages from monster? Is it
acceptable for enterprises to allow their servers to access the
internet?
Good question. My experience is that it is often the case, but I
don't know for sure.
I have asked this question to some folks who setup data centers and am
waiting on a response, I'll post the response to the mailing list when I
get it. However, one colleague that I have discussed this with
mentioned that enterprises may be reluctant to allow their servers
access to the internet as they can become susceptible to DoS attacks.
He looked at the current draft and came up with the following potential
DoS attack that could be mounted against any membersite (intranet or
internet based).
An attacker sets up rogue homesites that respond very slowly, if at all,
to verify requests and requests for persona-urls. The attacker then
peppers a membersite with messages that need verification from the rogue
homesites and that also potentially need to resolve rogue persona-urls.
Given that the homesites are responding slowly to these requests, the
requests coming out of the membersite start to build up and eventually
exhaust the servers resources, most notably the threads.
Is this a valid DoS attack? and if so, what approaches are available to
the membersite to mitigate its effect?
I guess what I'm asking here is a scope question. Is it within the
scope of DIX to allow the message signature to be a signature that
can be verified without a remote call? and if it isn't within the
scope of core, is it expected that an extension to the core could do
it?
I think making PKI a requirement would be a mistake for DIX. I think
PKI is a logical extension.
I agree that making PKI a MUST requirement would probably be a mistake,
but if it turns out that enterprises do not allow their intranet servers
to access the internet and if making a verify request or retrieving a
persona-url renders the homesite vulnerable to a DoS attack then it may
be worth considering PKI as an optional part of the specification.
Rob
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
