Opened 5 years ago

Closed 3 months ago

#179 closed defect (fixed)

Security considerations for dao projection

Reported by: mariainesrobles@… Owned by: pthubert@…
Priority: major Milestone:
Component: dao-projection Version:
Severity: Active WG Document Keywords:
Cc: mcr+ietf@…

Description

Michael Richardson wrote on 12-24-2016

https://www.ietf.org/mail-archive/web/roll/current/msg10069.html

14) Security Considerations will need to be written.

The security threats documents details very specific threats, and indicating if this protocol changes things is important.  Also, some consideration SHOULD be given to when A=1.  Are the affects of the new flow of control messages?

So for instance Security Considerations should probably consider how projected DAO messages could be abused by

a) rogue nodes b) via replay of messages c) if use of projected DAO messages could in fact deal with any threats?

Change History (2)

comment:1 Changed 3 years ago by pthubert@…

added a todo in the security section

comment:2 Changed 3 months ago by pthubert@…

  • Resolution set to fixed
  • Status changed from new to closed

Dear all

Ines pointed out an active ticket https://trac.ietf.org/trac/roll/ticket/179 and https://trac.ietf.org/trac/roll/ticket/180 against the DAO projection draft. It was logged at adoption call time and I failed to respond properly.

This was against https://datatracker.ietf.org/doc/html/draft-thubert-roll-dao-projection-03 , water under the bridge so I tried to sort things out and published https://datatracker.ietf.org/doc/html/draft-ietf-roll-dao-projection-18 as a result.

14) Security Considerations will need to be written. The security threats documents details very specific threats, and indicating if this protocol changes things is important. Also, some consideration SHOULD be given to when A=1. Are the affects of the new flow of control messages? So for instance Security Considerations should probably consider how projected DAO messages could be abused by a) rogue nodes b) via replay of messages c) if use of projected DAO messages could in fact deal with any threats?

I created a security section in line with that of RFC 9010.

I hope and believe that this removes the road block to go for last call.

Note: See TracTickets for help on using tickets.