[glue-wg] Security considerations

[Burke, S (Stephen)]

Paul Millar [mailto:paul.millar at desy.de] said:
> [BTW, please check RFC-3552; it says we MUST talk about 
> certain attacks, like replay]

OK, but the "talking about" may presumably just be a statement that it
doesn't apply.

> If Eve records these messages, she may be able to inject it 
> at a later date.  
> Although she couldn't undertake a "modification" attack, the 
> system is open to a "replay" attack.

OK, that's a reasonable point, but perhaps you should say that
explicitly. Usually replay attacks mean that you are capturing one side
of a transaction and replaying it later to the other side, and that kind
of thing doesn't seem relevant to GLUE.

> Anyway, this section isn't very long and doesn't say anything too 
> controversial, so I'd be inclined to keep this one, too, but 
> if you feel it's a waste of space we can also remove it.

You can leave the section in, but say that it's a special case of
modification. Again the usual meaning of mitm is that you sit in the
middle of a transaction, e.g. a fake web site that looks like your bank,
passes your keystrokes on to the real site and passes its reponses back
to you.

Stephen
-- 
Scanned by iCritical.