headers
SM | 9 Feb 23:40

RE: Last Call: <draft-weil-shared-transition-space-request-14.txt> (IANA Reserved IPv4 Prefix for Shared Address Space) to BCP

Hi Ron,
At 12:40 PM 2/9/2012, Ronald Bonica wrote:
>At NANOG 54, ARIN reported that they are down to 5.6 /8s. If just 
>four ISPs ask for a /10 for CGN, we burn one of those /8s.
>
>Is that really a good idea?

The short answer is no.

The long answer is a bit complicated as it would be difficult to 
justify efficient utilization of a /10 within a three-month time 
frame.  There are also specific policies which can be used to get a /10.

 From an IETF perspective, I understand that the IESG is faced with a 
difficult decision and I respect its decision.

I note that Chris Grundemann has been fair when we interacted in a 
non-IETF venue.

Based on the above, I'll keep the -1 for the determination of consensus.

Regards,
-sm
Permalink | Reply | 0 comments |
headers
SM | 9 Feb 18:59

Re: Last Call: <draft-weil-shared-transition-space-request-14.txt> (IANA Reserved IPv4 Prefix for Shared Address Space) to BCP

Hi Chris,
At 08:57 AM 2/9/2012, Chris Grundemann wrote:
>http://www.apnic.net/publications/news/2011/final-8

I am aware of the APNIC announcement.  That's one out of five regions.

>Are you proposing that every ISP on the planet be given a /10 for
>inside CGN use, rather than one single /10 being reserved for this
>purpose?

No.

If I am not mistaken, IPv4 assignments are on a needs basis.  In my 
previous comment, I mentioned that RIRs are still providing unique 
IPv4 assignments to service providers that request IPv4 
addresses.  Even if the IANA pool was not exhausted, it is unlikely 
that an ISP would get a /20 due to the slow-start mechanism.

Regards,
-sm
Permalink | Reply | 2 comments |
headers
Nat Sakimura | 7 Feb 04:46
Picon
Gravatar

Comments on Section 10.10 of OAuth 2.0

Dear Sir/Madam:

Attached below, please find the comment in response to the
Last Call: <draft-ietf-oauth-v2-23.txt> (The OAuth 2.0	Authorization
Protocol) to Proposed Standard.

These comments are on the changes between rev.22 and rev.23.

Yours faithfully,

Nat Sakimura

===============================
Comment on Section 10.10
===============================

Title: "constructed from" vague
================================

Comment
--------

The current text goes as:

   The authorization server MUST prevent attackers from guessing access
   tokens, authorization codes, refresh tokens, resource owner
   passwords, and client credentials.

   Generated tokens and other credentials not intended for handling by
   end-users MUST be constructed from a cryptographically strong random
(Continue reading)

Permalink | Reply | 1 comment |
headers
Thomas Narten | 3 Feb 06:53
Picon
Favicon

Weekly posting summary for ietf <at> ietf.org

Total of 72 messages in the last 7 days.

script run at: Fri Feb  3 00:53:01 EST 2012

    Messages   |      Bytes        | Who
--------+------+--------+----------+------------------------
  8.33% |    6 |  7.73% |    51134 | tglassey <at> earthlink.net
  4.17% |    3 |  7.23% |    47849 | fcorella <at> pomcor.com
  4.17% |    3 |  6.71% |    44414 | michael.jones <at> microsoft.com
  4.17% |    3 |  5.68% |    37585 | alexey.melnikov <at> isode.com
  4.17% |    3 |  5.25% |    34752 | bernard_aboba <at> hotmail.com
  4.17% |    3 |  5.04% |    33318 | stefan.winter <at> restena.lu
  4.17% |    3 |  3.56% |    23558 | brian.e.carpenter <at> gmail.com
  4.17% |    3 |  2.97% |    19649 | sm <at> resistor.net
  4.17% |    3 |  2.02% |    13357 | nomcom-chair <at> ietf.org
  2.78% |    2 |  3.16% |    20872 | mnot <at> mnot.net
  2.78% |    2 |  2.87% |    18961 | presnick <at> qualcomm.com
  2.78% |    2 |  2.75% |    18182 | shanna <at> juniper.net
  2.78% |    2 |  2.52% |    16649 | wesley.george <at> twcable.com
  2.78% |    2 |  2.18% |    14444 | cgrundemann <at> gmail.com
  2.78% |    2 |  1.99% |    13156 | julian.reschke <at> gmx.de
  1.39% |    1 |  3.25% |    21465 | sra <at> hactrn.net
  1.39% |    1 |  3.20% |    21185 | terry.manderson <at> icann.org
  2.78% |    2 |  1.76% |    11672 | hartmans <at> painless-security.com
  2.78% |    2 |  1.52% |    10056 | jnc <at> mercury.lcs.mit.edu
  1.39% |    1 |  2.76% |    18280 | danielmaiax <at> gmail.com
  1.39% |    1 |  2.33% |    15395 | hannes.tschofenig <at> nsn.com
  1.39% |    1 |  1.92% |    12721 | ron.even.tlv <at> gmail.com
  1.39% |    1 |  1.48% |     9789 | narten <at> us.ibm.com
  1.39% |    1 |  1.43% |     9469 | daedulus <at> btconnect.com
(Continue reading)

Permalink | Reply | 0 comments |
headers
Alan Johnston | 2 Feb 22:55
Picon
Gravatar

Yet Another Reason?

Is this yet another reason not to have IETF meetings in the USA? ;-)

     http://yro.slashdot.org/story/12/02/02/1719221/do-you-like-online-privacy-you-may-be-a-terrorist

The FBI and their would-be tipsters could be flat out trying
investigate everyone who uses encryption, anonymizer and privacy tools
on the Internet, or changes SIM cards in their mobile phone!  At least
"wearing T-shirts with inscrutable slogans" isn't on the list yet or
we'd all be rounded up...

Seriously - who writes this stuff?

- Alan -
Permalink | Reply | 5 comments |
headers
NomCom Chair | 2 Feb 03:33
Picon
Favicon
Gravatar

Nomcom 2011-2012: IAB Appointments

Hi all,

The 2011-2012 IETF Nominating committee is pleased to announce
the selection of the IAB members whose two year terms start at
IETF83.

The Nomcom has selected the following persons to serve as members
of the IAB and they have been confirmed by the ISOC Board of
Trustees (in its role as the confirming body):

Bernard Aboba
Jari Arkko
Marc Blanchet
Ross Callon
Spencer Dawkins
Hannes Tschofenig

We would like to express our sincere gratitude to the incumbents
who are not returning for their outstanding service, the many
highly qualified members of the community who offered to serve,
the community for their assistance in this process, and the
individuals named above for agreeing to serve the community on
the IAB.

Suresh Krishnan
Chair, NomCom 2011-2012
Permalink | Reply | 0 comments |
headers
Jinesh Doshi | 1 Feb 17:49
Picon
Favicon

Last Call: <draft-weil-shared-transition-space-request-14.txt> (IANA Reserved IPv4 Prefix for Shared Address Space) to BCP

I support the updates to this draft.

Jinesh
Permalink | Reply | 0 comments |
headers
Francisco Corella | 1 Feb 05:53
Favicon
Gravatar

REVISED Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

The bearer token protocol described in the document referenced in the
subject line is vulnerable to the following attack by a malicious
resource server.

There are two resource servers S1 and S2, S1 hosting a resource R1,
and S2 hosting a resource R2.  Servers are not entitled to access
resources that they do not host.  S1 is malicious.  The client obtains
a broadly scoped access token that allows access to both resources.
The client uses the access token to obtain resource R1 from server S1.
Malicious server S1 then presents the access token received from the
client to server S2 and gains access to resource R2, which it is not
entitled to access.

Including the identity of the intended recipients in the token, as
recommended in Section 4.2, does not help, since the intended
recipients of the broadly scoped token include both R1 and R2.

Francisco

_______________________________________________
Ietf mailing list
Ietf <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf
Permalink | Reply | 2 comments |
headers
Francisco Corella | 30 Jan 23:12
Favicon
Gravatar

Re: REVISED Last Call: <draft-ietf-oauth-v2-23.txt> (The OAuth 2.0 Authorization Protocol) to Proposed Standard

This document has the following issues:

1. Section 10.11, in connection with phishing attacks, notes that
"wide deployment of this and similar protocols may cause end-users to
become inured to the practice of being redirected to websites where
they are asked to enter their passwords".  That begs the question:
why should this protocol be proposed as an Internet standard?

2. As observed by John Bradley in
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
if the implicit flow is used for third-party login (as in "Login with
Facebook") and if access tokens are bearer tokens, a relying party can
obtain an access token from a legitimate user and use it to
impersonate the user by presenting it to another relying party.

3. In the authorization code flow, if the client's redirection
endpoint is not protected by TLS, a man-in-the-middle attack allows
the attacker to capture the authorization code and use it to
impersonate the user by presenting it to the client, thus getting
access to the protected resources, and to the user's account at the
client if OAuth is used for third-party login.  Section 3.1.2.1 does
not require the use of TLS.  On the other hand, section 10.5 requires
TLS "if the client relies on the authorization code for its own
resource owner authentication", i.e. in the third-party login case.
The distinction between the third-party login case and the general
case is a spurious one, whose practical result is to let social sites
such as Facebook get away with telling client developers to use http
rather than https, as Facebook does in its developer documentation at
http://developers.facebook.com/docs/authentication/.  Client
developers will read the Facebook instructions rather than the OAuth
specification, and will not even be aware of the need to use TLS,
whether or not they are using OAuth for third-party login.

4. In the security considerations section, subsection 10.12 points out
a vulnerability in the protocol that allows an attacker to cause a
victim to unwittingly log in to the attacker's account instead of the
victim's account.  The third paragraph provides a countermeasure and
requires clients to implement it.  But client developers, if they read
the security considerations at all, are unlikely to understand the
countermeasure, which is barely sketched out.  I don't see why the
countermeasure is not incorporated into the protocol description to
eliminate the vulnerability.

5. Without a secure registration method, the protocol can provide no
security.  Section 2 does not explain how registration can be made
secure.  It suggest the use of a self-issued assertion by the client,
which of course would provide no security.  It also suggests the use
of a client description and logo.  Even if the client uses a TLS
certificate to authenticate during registration, the description and
logo are likely to be self-asserted, since I don't know of any CA that
certifies descriptions and logos.  Then nothing prevents a malicious
client from using during registration a valid certificate issued to
itself, together with a description and logo of a different client
that the malicious client will be able to impersonate.

6. This protocol has adverse privacy implications when used for
third-party login, as the identity provider is informed of the user's
logins.  This is aggravated by the fact that, whereas with OpenID the
user can choose an identity provider of her choice, with OAuth the
user can only use identity providers that the relying party has
preregistered with.  Some relying parties only give the choice of signing
in with Facebook.

7. The preregistration requirement reinforces the monopoly that
Facebook currently has in social networking, since any competitors
face the hurdle of convincing relying parties to register with them.

8. The preregistration requirement gives unprecedented power to
Facebook over clients, since Facebook can revoke a client's
registration at its sole discretion.

9. Indirectly, the preregistration requirement also gives
unprecedented power to Facebook over Web users, by making it necessary
to have a Facebook account for tasks such as logging in to clients or
commenting on blogs.  A user's registration, like a client
registration, can be revoked by Facebook at any time at Facebook's
sole discretion.  Without the preregistration requirement, users would
be free to log in or comment via OAuth using identity providers of
their choice.

Francisco
_______________________________________________
Ietf mailing list
Ietf <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf
Permalink | Reply | 0 comments |
headers
todd glassey | 30 Jan 21:35
Picon
Favicon

Re: encouraging compliance with IPR disclosure rules

On 1/27/2012 9:41 AM, Scott Brim wrote:
> On Thu, Jan 26, 2012 at 14:01, SM <sm <at> resistor.net> wrote:
>>  "To support the efficient development of IETF standards and
>>   avoid unnecessary delays, chairs and ADs should look for
>>   opportunities to promote awareness and compliance with the
>>   IETF's IPR policies."
>>
>> WG Chairs interact with IETF participants more often than ADs.  It is not
>> clear whether it is their responsibility to promote awareness and
>> compliance.
> 
> Don't look for some kind of procedural responsibility.  WG Chairs
> _want_ to ensure awareness and compliance as early as possible,
> because if they don't do so they suffer: they suffer embarrassment and
> sometimes failure of all their efforts when IPR is discovered late in
> the process.  There's no need to assign responsibility to chairs or
> IESG members, we already have plenty of feedback for them.
> 
>> Some points in the draft, such as the two-step approach to confirm
>> compliance may help to catch issues before they become a concern.
> 
> Yup.  Ask early and often, directly and individually.  That clearly
> makes the askees responsible, which will matter later.
> 
> Scott

Assuming all the i's are dotted and the t's crossed Scott something
which functionally seems rarely to happen. How do you deal with the
issues of being liable under the 9th Circuit Model for "Willful
Infringement" - the IETF doesnt build ANYTHING that can exist without
its implemented process - and since in many instances these violate
patent protections in place how is it that the IETF gets to set the law
aside...

I am betting it doesnt. Nor do the sponsors of those hammered here under
that. For that reason I think we need both controls that allow
unpublishing of documents and recall of Licensing Rights in a matter
where we find something wrong or outside the process happened.

Unless it is of course the plan and practice of the IETF to destroy the
US Government's copyright protections... as well as its patent process.
So I ask, is that the intent here?

Todd
> _______________________________________________
> Ietf mailing list
> Ietf <at> ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
> 

--

-- 
Todd S. Glassey
This is from my personal email account and any materials from this
account come with personal disclaimers.

Further I OPT OUT of any and all commercial emailings.
Permalink | Reply | 0 comments |
headers
todd glassey | 30 Jan 21:25
Picon
Favicon

IPR statement... Intentionally creating derivatives which infringe on protected IP creates numerous claims and grounds for pain we don't need here.

The IETF has long hidden its (c) and patent violations IMHO under the
guise of its broken standards process and its time to pay for that. Here
is the case law that says NO NO NO...

This is copied from a specific IP website as an informational post. It
is specific to the willingness to infringe on patents and the legal
issues since this clearly is a joint-development consortia and not a
standards org.

In fact let me ask, when was the last time a standard itself was issued?
You see my point???

So here is the language -

1)	Willfulness is a question of fact and involves a determination as to
an infringer’s state of mind. Pall Corp. v. Micron Separations, Inc., 66
F.3d 1211, 1221 (Fed.Cir.1995) (willfulness is a question of fact that
involves elements of intent, reasonableness, and belief); Graco, Inc. v.
Binks Mfg. Co., 60 F.3d 785, 792 (Fed.Cir.1995) (same); Electro Medical
Sys., S.A. v. Cooper Life Sciences, Inc., 34 F.3d 1048, 1056
(Fed.Cir.1994); Read Corp. v. Portec, Inc., 970 F.2d 816, 828
(Fed.Cir.1992); Stickle v. Heublein, Inc., 716 F.2d 1550, 1565
(Fed.Cir.1983) (intent and reasonable beliefs are the primary focus of a
willful infringement inquiry).

2)	Specifically, in determining the question of willfulness, the primary
consideration is whether the infringer acted in disregard of the
infringed patent with no reasonable basis to believe it had a right to
do the acts in question. In the world of 2011/2012 this takes on a whole
new light in the legal context too.

3)	Pall Corp., 66 F.3d at 1221 (factfinder should examine whether the
infringer deliberately disregarded the property rights of the patentee);
Ortho Pharmaceutical Corp. v. Smith, 959 F.2d 936, 944 (Fed.Cir.1992)
(the focus of a willfulness inquiry should be on whether the infringer
had no reasonable belief for thinking it had a legal right to continue
its conduct).

So in this case what would they have to prove - that the IETF was
informed and it intentionally continued development of a intellectual
property which could not be implemented without the license of the
patent holder?

One who has actual notice of a patent owner’s rights has an affirmative
duty to respect those rights. Read Corp., 970 F.2d at 828 (citing
Rolls-Royce, Ltd. v. GTE Valeron Corp., 800 F.2d 1101, 1109
(Fed.Cir.1986)); Avia Group, Int’l, Inc. v. L.A. Gear California, Inc.,
853 F.2d 1557, 1566 (Fed.Cir.1988).

The issue of willfulness “rests on a determination of the infringer’s
state of mind,” Mahurkar v. C.R. Bard, Inc., 79 F.3d 1572, 1579
(Fed.Cir.1996), and “includes elements of intent, reasonableness, and
belief,” Pall Corp., 66 F.3d at 1221. Among the grounds for a
willfulness finding are “[t]he extent to which the infringer disregarded
the property rights of the patentee, the deliberateness of the tortious
acts, or other manifestations of unethical or injurious commercial
conduct.” Hoechst Celanese Corp. v. BP Chems. Ltd., 78 F.3d 1575, 1583
(Fed.Cir.), cert. denied, 117 S.Ct. 275, 136 L.Ed.2d 198 (1996). No
hard-and-fast rules govern the willfulness determination, which should
be made after evaluating all the relevant circumstances. Graco, Inc. v.
Binks Mfg. Co., 60 F.3d 785, 792 (Fed.Cir.1995). Willful infringement
must be proven by clear and convincing evidence. Pall Corp., 66 F.3d at
1221; In re Hayes Microcomputer Prods., Inc. Patent Litig., 982 F.2d
1527, 1543 (Fed.Cir.1992).

So... we should take notice about these issues as a new hurdle. The
research part of the IETF has nothing to do with production standards -
they are joint development agreements to specifically take a protocol
model and implement it as code...

If you would like to get the IETF's lawyers to formally - and on their
legal letterhead swear this is not true - which based on the case law
cited - they are not going to get anywhere near I bet, then  OK.
Otherwise everyone now has a new problem with the IETF and that is that
the participants and their sponsors are liable for this damage per these
standards.

Todd Glassey
--

-- 
Todd S. Glassey
This is from my personal email account and any materials from this
account come with personal disclaimers.

Further I OPT OUT of any and all commercial emailings.
Permalink | Reply | 0 comments |

Gmane