[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Provisioning, Password Strength (was RE: comments)
On Tue, 24 Jun 2003, Chris Lonvick wrote:
> > >
> > > I like that approach as well. It may be good to differentiate between
> > > provisioning and managing as well. There are a lot of problems associated
> > > with provisioning which are similar to configuration but are much more
> > > difficult to address.
> >
> > Examples ? Any cases where I've got things mixed now ?
>
> I need to do a thorough read-through of the document but at this time I
> don't see that the two are unmixed. :-) My concern here is that an
> attacker may intercept communications during the initial provisioning of a
> remote device, or they may substitute a device with the hopes that an
> administrator will configure it as a valid device and leave sensitive
> information in it which would then be easily retrievable by the attacker.
> Changing the configuration of an existing device may not be as susceptible
> to this problem as the administrator should have some way to validate that
> it is actually a member of the flock, and not a rogue or a decoy.
...
>
> Is this thought worthy of being included in the document, or is that a bit
> too far reaching at this time? It may be best to place a note in the
> Security Considerations section with an overall warning of this if that's
> acceptable.
I think we've got our hands full at the moment. I'll add a note to
the security considerations section.
---George