[Tzdist] Security Considerations: Is TLS security sufficient
Daniel Migault <mglt.ietf@gmail.com> Thu, 21 August 2014 15:53 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tzdist@ietfa.amsl.com
Delivered-To: tzdist@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12B581A037E for <tzdist@ietfa.amsl.com>; Thu, 21 Aug 2014 08:53:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WsCnGmrwKkKN for <tzdist@ietfa.amsl.com>; Thu, 21 Aug 2014 08:52:55 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 641241A019B for <tzdist@ietf.org>; Thu, 21 Aug 2014 08:52:55 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id ho1so8918890wib.2 for <tzdist@ietf.org>; Thu, 21 Aug 2014 08:52:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=8TR7Wxj1hKGLEfBNDc6bSGJQ7rr0yN4HmErhnv20/B8=; b=eToq3V2p74UH+PYGDDN/QoepeArrwp6QpOf7H68WUwF0XSRfnbyNME5JZ+R1CKplOF EZDpz79n8+do2KJbfDO7O7/LefU1WiKw6hh9FfT93pySjZ98DExInGM3fP6N6dgnZfDQ Nhq2nKiBsJvsze4GmqX9WXVHDow/UuO4E3V58XQmKljl8Y4QApW9lAPm9FOkl97HjuCT JakTUXPsAFu9uEWykX8g8VZVQTVXhWKOCuOLrum2Z//VBhzlcRkmG3igJ9/phdJSCr+I gU6UKDwrNcQC3/jSuXSSX6HZr9GrmcG/7n0vJZLeTlMr+t6N8C++I/dQYaCG8IFOnkbh 5g1w==
MIME-Version: 1.0
X-Received: by 10.180.20.40 with SMTP id k8mr5434179wie.54.1408636374040; Thu, 21 Aug 2014 08:52:54 -0700 (PDT)
Received: by 10.194.137.67 with HTTP; Thu, 21 Aug 2014 08:52:54 -0700 (PDT)
Date: Thu, 21 Aug 2014 17:52:54 +0200
Message-ID: <CADZyTkkACqAC9f4eTcUPhAqGLgLOhB+CegLDdutcNExq0Bfe=w@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: tzdist@ietf.org
Content-Type: multipart/alternative; boundary="bcaec53d57afb144e5050125b6ea"
Archived-At: http://mailarchive.ietf.org/arch/msg/tzdist/R9q9cPY1MypkLU6z-ZMU8MmU2DY
Subject: [Tzdist] Security Considerations: Is TLS security sufficient
X-BeenThere: tzdist@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <tzdist.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tzdist>, <mailto:tzdist-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tzdist/>
List-Post: <mailto:tzdist@ietf.org>
List-Help: <mailto:tzdist-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tzdist>, <mailto:tzdist-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Aug 2014 15:53:00 -0000
Hi, The draft mentions that security is provided by TLS. This model is fine as long as I trust the server I am connected to. However, if we consider the root provider as legitimate (IANA for example), a TLS communication would provide integrity check. On the other hand, we have no mean to check that the alternate providers have not alterate/modified the time zone data. Wouldn't it be more appropriated to have integrity check mechanisms within the data. The charter mentions - The time zone data will be based on the Time Zone Database (http://www.iana.org/time-zones) but must be able to include any source of time zone data. So working on the data format seems out of scope. However if a secure data format may be designed in the future. TLS will not be needed for integrity protection. but only for confidentiality or privacy issues. Similarly to DNS, it would make sense to have both secure or unsecured transport layer depending on your goals. -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
- Re: [Tzdist] Security Considerations: Is TLS secu… Cyrus Daboo
- [Tzdist] Security Considerations: Is TLS security… Daniel Migault