[glue-wg] Security considerations
Burke, S (Stephen)
stephen.burke at stfc.ac.uk
Thu Nov 20 05:25:10 CST 2008
Paul Millar [mailto:paul.millar at desy.de] said:
> [BTW, please check RFC-3552; it says we MUST talk about
> certain attacks, like replay]
OK, but the "talking about" may presumably just be a statement that it
doesn't apply.
> If Eve records these messages, she may be able to inject it
> at a later date.
> Although she couldn't undertake a "modification" attack, the
> system is open to a "replay" attack.
OK, that's a reasonable point, but perhaps you should say that
explicitly. Usually replay attacks mean that you are capturing one side
of a transaction and replaying it later to the other side, and that kind
of thing doesn't seem relevant to GLUE.
> Anyway, this section isn't very long and doesn't say anything too
> controversial, so I'd be inclined to keep this one, too, but
> if you feel it's a waste of space we can also remove it.
You can leave the section in, but say that it's a special case of
modification. Again the usual meaning of mitm is that you sit in the
middle of a transaction, e.g. a fake web site that looks like your bank,
passes your keystrokes on to the real site and passes its reponses back
to you.
Stephen
--
Scanned by iCritical.
More information about the glue-wg
mailing list