Re: Last Call: draft-ietf-dnsext-axfr-clarify (DNS Zone Transfer Protocol (AXFR)) to Proposed Standard

2010-03-01 Thread Alfred Hönes
> At 11:00 22-02-10, The IESG wrote: >> The IESG has received a request from the DNS Extensions WG (dnsext) to >> consider the following document: >> >> - 'DNS Zone Transfer Protocol (AXFR) ' >> as a Proposed Standard >> >> ... > > In Section 2.2.5: > >"The contents of this section MUST f

RE: [tcpm] Last Call: draft-ietf-tcpm-tcp-auth-opt (The TCP Authentication Option) to Proposed Standard

2010-03-01 Thread Smith, Donald
I have commented numerous times that with a paragraph that specifically provides vendors to make "connection-less resets == attack packets" this will not get much if any use among ISPs or other bgp speakers. Those statements have pretty much been ignored. I do not support this draft and believe

RE: [tcpm] Last Call: draft-ietf-tcpm-tcp-auth-opt (The TCP Authentication Option) to Proposed Standard

2010-03-01 Thread Smith, Donald
Hi Wesley, I stand red faced and corrected. The last version I saw did not address this (I think that was either 08 or 09) and I assumed the .10 didn't either. I withdraw my objection and apologize for having missed this significant rewrite!! (coffee != sleep) & (!coffee == sleep) donald.sm...@

Last Call: draft-harkins-emu-eap-pwd (EAP Authentication Using Only A Password) to Informational RFC

2010-03-01 Thread Dorothy Stanley
I am submitting one comment on draft-harkins-emu-eap-pwd : (1) Channel bindings are becoming increasingly necessary for new and evolving uses of EAP. This EAP-PWD protocol should provide for them. Dorothy Stanley Dorothy Stanley Aruba Networks dstan...@arub

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

2010-03-01 Thread Phillip Hallam-Baker
Who are these 'security researchers' of whom you speak? I am a principal in the security field, if you want to contradict me then you should either say that something is your personal opinion or you should specify the other parties you are referring to. The reason that I want to see what the key r

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

2010-03-01 Thread Phillip Hallam-Baker
Some CAs sacrificed security for profitability. Which was the reason I started the EV process. If the race to the bottom had continued the products we sold would have no value at all. Getting your root into a browser requires you to get a WebTrust audit against your CPS. The problem is that before

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

2010-03-01 Thread Phillip Hallam-Baker
Once you have established an SSH relationship the protocol allows you to determine with a high degree of confidence that you are connecting to the same end point in future. That is not a perfect security control but it is a very useful one. It is a much more useful control than any provided by inf

ietf 1id_guidelines tool broken

2010-03-01 Thread William Allen Simpson
As of Feb 9th, the IESG posted a second status boilerplate. But the tool doesn't yet recognize it Be warned. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf

Re: ietf 1id_guidelines tool broken

2010-03-01 Thread William Allen Simpson
Henrik Levkowetz wrote: On 2010-02-26 20:42 William Allen Simpson said the following: As of Feb 9th, the IESG posted a second status boilerplate. But the tool doesn't yet recognize it Be warned. Specifics, please? * Is this the idnits tool or some other tool? * Which version did you u

Re: ietf 1id_guidelines tool broken

2010-03-01 Thread William Allen Simpson
Henrik Levkowetz wrote: The short response to the information below is that it seems that the secretariat is still running version 2.12.00 of idnits, while the newer version 2.12.01 (released 4 Feb 2010) accepts the new boilerplate correctly. I'm notifying the secretariat so they can update to th

Re: ietf 1id_guidelines tool broken

2010-03-01 Thread William Allen Simpson
Henrik Levkowetz wrote: Your initial 'bugreport' contained no specifics whatsoever. You inappropriately sent the 'tool is broken' message to the whole IETF general discussion list, in addition to addressing me directly (so it's not as if you didn't know where to direct a bug report). All IETF

Re: ietf 1id_guidelines tool broken

2010-03-01 Thread William Allen Simpson
Henrik Levkowetz wrote: So you're still maintaining that it's good and right to send out a notice of a problem widely and provide no information which makes it possible to resolve it? Bah! Please stop before you embarrass yourself further. The original report was very clear: "As of Feb 9th

Re: Gen-ART review for draft-ietf-ipsecme-esp-null-heuristics-05.txt

2010-03-01 Thread Tero Kivinen
Spencer Dawkins writes: > I don't feel strongly about this, but do suggest s/uses the same policy/uses > the same policy, and that changes to that single policy can be coordinated > throughout the administrative domain/, to capture what you said in your > response, which I found helpful. Change

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

2010-03-01 Thread Joe Baptista
I just want to remind everyone that a DNScurve draft is on the table. http://tools.ietf.org/html/draft-dempsky-dnscurve-01 There is an urgent need to solve the DNS security issues within a reasonable period of time. Please remember the Kaminsky dns bug did not identify a security problem with th

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

2010-03-01 Thread David Conrad
On Mar 1, 2010, at 8:34 AM, Joe Baptista wrote: > Please remember the Kaminsky dns bug did not identify a security problem with > the DNS but the UDP transport. The problem Dan Kaminsky exploited is a known weakness in the DNS protocol, specifically that a 16-bit identifier space is too small.

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

2010-03-01 Thread Tony Finch
On Mon, 1 Mar 2010, David Conrad wrote: > > DNSSEC is already deployed in 12 top-level domains Add a half for .uk :-) It has a deliberately invalid DNSKEY this week, full deployment next week. Tony. -- f.anthony.n.finchhttp://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

2010-03-01 Thread Paul Wouters
On Mon, 1 Mar 2010, Tony Finch wrote: DNSSEC is already deployed in 12 top-level domains Add a half for .uk :-) It has a deliberately invalid DNSKEY this week, full deployment next week. There is more then the 12 in itar. From the top of my head: .br .us .museum and .pt, and of course a lar

IETF Workshop on Broadband Home Gateways

2010-03-01 Thread IESG Secretary
During the 76th IETF meeting, the Transport Area sponsored a Broadband Home Gateway BoF, called HOMEGATE. Since that time, interested IETF participants have been working to narrow the scope of the draft charter and to reach out to other Standards Development Organizations (SDOs) to ensure that the

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

2010-03-01 Thread Masataka Ohta
Phillip Hallam-Baker wrote: > Moving to DNSSEC, regardless of the technical model does not eliminate > the need for certificates or CAs. The purpose of EV certificates is to > re-establish the principle of accountability. I don't know what EV means, but anything human, including CA, is not infall

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

2010-03-01 Thread Wassim Haddad
On Mon, Mar 1, 2010 at 2:13 PM, Masataka Ohta < mo...@necom830.hpcl.titech.ac.jp> wrote: Phillip Hallam-Baker wrote: > > > Moving to DNSSEC, regardless of the technical model does not eliminate > > the need for certificates or CAs. The purpose of EV certificates is to > > re-establish the principl

PKIgate

2010-03-01 Thread Masataka Ohta
Phillip Hallam-Baker wrote: > You can design a PKI to meet many different needs. No, PKI can be designed for imaginary needs only with no real security. > Identity is one purpose, but not a very useful one. It is an example of imaginary security. > If you want security from a > PKI you will do

Patent disclosure in draft-shin-augmented-pake-00.txt

2010-03-01 Thread Simon Josefsson
Hi. This document [1] contains the following section: 6. Intellectual Property The National Institute of Advanced Industrial Science and Technology (AIST) has submitted a patent application about the AugPAKE protocol, described in this document. For details of the patent application

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

2010-03-01 Thread Masataka Ohta
Wassim Haddad wrote: >>I don't know what EV means, but anything human, including CA, is not >>infallible, which is why PKI is insecure. > => Can you please explain in few lines what would be your preference(s) for > a solution to enable DNSsec? > I apologize if you have already submitted a propos

Gen-ART LC/Telechat review of draft-ietf-ipfix-export-per-sctp-stream-06

2010-03-01 Thread Ben Campbell
I have been selected as the General Area Review Team (Gen-ART) reviewer for this draft (for background on Gen-ART, please see http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html). Please wait for direction from your document shepherd or AD before posting a new version of the draft. Document: d