I have been selected as the General Area Review Team (Gen-ART)
reviewer for this draft (for background on Gen-ART, please see
http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html).
Please wait for direction from your document shepherd
or AD before posting a new version of the draft.
Document: d
Wassim Haddad wrote:
>>I don't know what EV means, but anything human, including CA, is not
>>infallible, which is why PKI is insecure.
> => Can you please explain in few lines what would be your preference(s) for
> a solution to enable DNSsec?
> I apologize if you have already submitted a propos
Hi. This document [1] contains the following section:
6. Intellectual Property
The National Institute of Advanced Industrial Science and Technology
(AIST) has submitted a patent application about the AugPAKE protocol,
described in this document. For details of the patent application
Phillip Hallam-Baker wrote:
> You can design a PKI to meet many different needs.
No, PKI can be designed for imaginary needs only with no real security.
> Identity is one purpose, but not a very useful one.
It is an example of imaginary security.
> If you want security from a
> PKI you will do
On Mon, Mar 1, 2010 at 2:13 PM, Masataka Ohta <
mo...@necom830.hpcl.titech.ac.jp> wrote:
Phillip Hallam-Baker wrote:
>
> > Moving to DNSSEC, regardless of the technical model does not eliminate
> > the need for certificates or CAs. The purpose of EV certificates is to
> > re-establish the principl
Phillip Hallam-Baker wrote:
> Moving to DNSSEC, regardless of the technical model does not eliminate
> the need for certificates or CAs. The purpose of EV certificates is to
> re-establish the principle of accountability.
I don't know what EV means, but anything human, including CA, is not
infall
During the 76th IETF meeting, the Transport Area sponsored a Broadband
Home Gateway BoF, called HOMEGATE. Since that time, interested IETF
participants have been working to narrow the scope of the draft charter
and to reach out to other Standards Development Organizations (SDOs) to
ensure that the
On Mon, 1 Mar 2010, Tony Finch wrote:
DNSSEC is already deployed in 12 top-level domains
Add a half for .uk :-) It has a deliberately invalid DNSKEY this week,
full deployment next week.
There is more then the 12 in itar. From the top of my head: .br .us .museum and
.pt,
and of course a lar
On Mon, 1 Mar 2010, David Conrad wrote:
>
> DNSSEC is already deployed in 12 top-level domains
Add a half for .uk :-) It has a deliberately invalid DNSKEY this week,
full deployment next week.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH
On Mar 1, 2010, at 8:34 AM, Joe Baptista wrote:
> Please remember the Kaminsky dns bug did not identify a security problem with
> the DNS but the UDP transport.
The problem Dan Kaminsky exploited is a known weakness in the DNS protocol,
specifically that a 16-bit identifier space is too small.
I just want to remind everyone that a DNScurve draft is on the table.
http://tools.ietf.org/html/draft-dempsky-dnscurve-01
There is an urgent need to solve the DNS security issues within a reasonable
period of time.
Please remember the Kaminsky dns bug did not identify a security problem
with th
Spencer Dawkins writes:
> I don't feel strongly about this, but do suggest s/uses the same policy/uses
> the same policy, and that changes to that single policy can be coordinated
> throughout the administrative domain/, to capture what you said in your
> response, which I found helpful.
Change
Henrik Levkowetz wrote:
So you're still maintaining that it's good and right to send out a notice
of a problem widely and provide no information which makes it possible to
resolve it? Bah!
Please stop before you embarrass yourself further. The original report
was very clear:
"As of Feb 9th
Henrik Levkowetz wrote:
Your initial 'bugreport' contained no specifics whatsoever.
You inappropriately sent the 'tool is broken' message to the whole IETF
general discussion list, in addition to addressing me directly (so it's
not as if you didn't know where to direct a bug report).
All IETF
Henrik Levkowetz wrote:
The short response to the information below is that it seems that the
secretariat is still running version 2.12.00 of idnits, while the newer
version 2.12.01 (released 4 Feb 2010) accepts the new boilerplate correctly.
I'm notifying the secretariat so they can update to th
Henrik Levkowetz wrote:
On 2010-02-26 20:42 William Allen Simpson said the following:
As of Feb 9th, the IESG posted a second status boilerplate. But the tool
doesn't yet recognize it Be warned.
Specifics, please?
* Is this the idnits tool or some other tool?
* Which version did you u
As of Feb 9th, the IESG posted a second status boilerplate. But the tool
doesn't yet recognize it Be warned.
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf
Once you have established an SSH relationship the protocol allows you
to determine with a high degree of confidence that you are connecting
to the same end point in future.
That is not a perfect security control but it is a very useful one. It
is a much more useful control than any provided by inf
Some CAs sacrificed security for profitability. Which was the reason I
started the EV process. If the race to the bottom had continued the
products we sold would have no value at all.
Getting your root into a browser requires you to get a WebTrust audit
against your CPS. The problem is that before
Who are these 'security researchers' of whom you speak? I am a
principal in the security field, if you want to contradict me then you
should either say that something is your personal opinion or you
should specify the other parties you are referring to.
The reason that I want to see what the key r
I am submitting one comment on draft-harkins-emu-eap-pwd :
(1) Channel bindings are becoming increasingly necessary for new and
evolving uses of EAP.
This EAP-PWD protocol should provide for them.
Dorothy Stanley
Dorothy Stanley
Aruba Networks
dstan...@arub
Hi Wesley, I stand red faced and corrected.
The last version I saw did not address this (I think that was either 08 or 09)
and I assumed the .10 didn't either.
I withdraw my objection and apologize for having missed this significant
rewrite!!
(coffee != sleep) & (!coffee == sleep)
donald.sm...@
I have commented numerous times that with a paragraph that specifically
provides vendors to make "connection-less resets == attack packets" this will
not get much if any use among ISPs or other bgp speakers.
Those statements have pretty much been ignored.
I do not support this draft and believe
> At 11:00 22-02-10, The IESG wrote:
>> The IESG has received a request from the DNS Extensions WG (dnsext) to
>> consider the following document:
>>
>> - 'DNS Zone Transfer Protocol (AXFR) '
>> as a Proposed Standard
>>
>> ...
>
> In Section 2.2.5:
>
>"The contents of this section MUST f
24 matches
Mail list logo
