Hi Tom, Sorry for responding your response email promptly. I have checked the latest version -20 draft, and thought it have addressed all my security issues. Thanks! B.R. Frank -----邮件原件----- 发件人: Tom Pusateri [mailto:pusateri@xxxxxxxxx] 发送时间: 2019年6月16日 0:47 收件人: Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@xxxxxxxxxx> 抄送: draft-ietf-dnssd-push.all@xxxxxxxx; dnssd@xxxxxxxx; IETF <ietf@xxxxxxxx>; secdir@xxxxxxxx 主题: Re: [dnssd] Secdir telechat review of draft-ietf-dnssd-push-19 Does this address your concerns? > On May 17, 2019, at 11:59 AM, Tom Pusateri <pusateri@xxxxxxxxx> wrote: > > Will also address TLS comments. > >> 3. In the section of Security Considerations: >> 1) you should also mention that TLS provides the anti-replay protection >> service for DNS Push; I have added a 4th security service in the Security section: Anti-replay protection: TLS provides for the detection of and prevention against messages sent previously over a TLS connection (such as DNS Push Notifications). Prior messages cannot be re- sent at a later time as a form of a man-in-the-middle attack. >> 2) maybe you need to consider the client >> authentication to achieve policy control and detect illegal client; I have added a new paragraph in the Security section: As a consequence of requiring TLS, client certificate authentication and verification may also be enforced by the server for stronger client-server security or end-to-end security. However, recommendations for security in particular deployment scenarios are outside the scope of this document. >> 3) TLS >> WG are specifying the SNI encryption mechanism, will it influence your TLS >> name authentication? SNI encryption has no effect on our use of TLS name authentication. Thanks, Tom
