RE: IETF Last Call: draft-salowey-tls-ticket-06.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> The MAC will check out only if the servers are using the same key.  

That's not necessarily true.  Since the ticket is not self-describing. 
and there is no normative language relating to ticket construction, there 
is no guarantee that implementations will put the MAC field in the same 
place or use the same algorithm.  This could be fixed by including a 
globally and temporally unique ticket identifier, and mandating that the 
MAC field be put at the end. 

> It's certainly true that "implements all the MUSTs in the document"
> does not imply the system is secure, but that applies pretty much 
> to any document (unless it says "the system MUST be secure" :-). 

While it's certainly true that normative language doesn't guarantee 
security, most specifications do use normative language, if only to pin 
down some basic features of the specification.  It is quite possible for 
this specification to allow innovation along many dimensions, by 
mandating a few critical items, enough to avoid interoperability problems, 
and leaving the rest open. 


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]