Re: Draft Minutes of May 29, 2003 Telechat

[Russ Housley <housley@vigilsec.com>]

Ted:

I cleared Jeff Schiller's DISCUSS if an RFC Editor's note was added with 
the following replacement text for the security considerations section of 
draft-legg-ldap-gser:

     The Generic String Encoding Rules do not define a canonical encoding.
     That is, a transformation from a GSER encoding into some other
     encoding (e.g. BER) and back into GSER will not necessarily reproduce
     exactly the original GSER octet encoding.  Therefore GSER MUST NOT
     be used where a canonical encoding is needed.

     Furthermore, GSER does not necessarily enable the exact octet
     encoding of values of the TeletexString, VideotexString,
     GraphicString or GeneralString types to be reconstructed, so a
     transformation from DER to GSER and back to DER is not likely to
     reproduce the original DER encoding.  Therefore GSER MUST NOT be
     used in any protocols where recovery of an original binary object
     is needed.  Such recovery is needed for the verification of digital
     signatures.  In such cases, protocols ought to use DER or another
     canonical encoding.

     When interpreting security-sensitive fields, and in particular fields
     used to grant or deny access, implementations MUST ensure that any
     comparisons are done on the underlying abstract value, regardless of
     the particular encoding used.

Russ

At 09:43 AM 5/30/2003 -0700, hardie@qualcomm.com wrote:
> At 12:28 PM -0400 5/30/03, iesg-secretary@ietf.org wrote:
> > 2.2.2. Returning Item
> >
> >         o Collective Attributes in LDAP (Proposed Standard)
> >         <draft-zeilenga-ldap-collective-08.txt>
> >         Token: Hardie, Ted
> >         Under discussion by Steve Bellovin and Bill Fenner.
> I believe this should be under discussion by Russ.  I think Bill agreed
> that we can solve his issue by an RFC Editor note removing the
> 5 & 6 byte forms that have been deprecated by ISO and the
> Yergeau draft.