per-entity - Re: [Per-Entity] deploying TLS on the MDQ server
Subject: Per-Entity Metadata Working Group
List archive
- From: "Cantor, Scott" <>
- To: Tom Scavo <>
- Cc: Per-Entity Metadata Working Group <>
- Subject: Re: [Per-Entity] deploying TLS on the MDQ server
- Date: Fri, 9 Sep 2016 13:40:56 +0000
- Accept-language: en-US
- Authentication-results: spf=pass (sender IP is 164.107.81.210) smtp.mailfrom=osu.edu; incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=bestguesspass action=none header.from=osu.edu;
- Ironport-phdr: 9a23:3vYbfBe2IiRqx3RIDf+adhtSlGMj4u6mDksu8pMizoh2WeGdxc2zYh7h7PlgxGXEQZ/co6odzbGJ4+a9AidZvN6oizMrTt9lb1c9k8IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUj22Dwd+J/z0F4jOlIz3krnqo9yAKzlP0Qa6ZPtJJxyoqk2FqtMNioJ8LY4wzAfEuH1FZ74QyG91cwG9hRH5s42b9Zh/9D4U88kq8NJcG+2udK0+UbtCSm4ONHsoosDnqE+QHkO0+nIAXzBOwVJzCA/f4US/B8+pvw==
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
On 9/9/16, 9:31 AM,
"
on behalf of Tom Scavo"
<
on behalf of
>
wrote:
> Can you be more specific about what you think is "tight enough?"
I haven't thought about it, but in giving a little bit of consideration to
it, I don't know if there is anything realistic that would help given the
sort of attack I'm thinking of. Certainly hours at most, but really the
attack just requires that the window between "it changed" and "it gets
requested" is wider than real time. So I suppose I think TLS is basically a
requirement in the end.
> I'm not following you. On the production side, aggregates and entities
> are identical since they emanate from the same infrastructure. On the
> client side, request patterns are different, I realize that, but I
> don't see how that influences validUntil. I think I'm missing something.
The difference is in the knowledge the attacker has of when the request for
the metadata might be made. Because it's an active attack, knowing when the
request will be made is pretty significant in pulling something off that
requires actively intercepting and changing/substituting a result.
-- Scott
- Re: [Per-Entity] deploying TLS on the MDQ server, (continued)
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Mitchell, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, IJ Kim, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, David Walker, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Paul Caskey, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Steve Thorpe, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, David Walker, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, IJ Kim, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Cantor, Scott, 09/09/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Mitchell, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/09/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Cantor, Scott, 09/09/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/09/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Paul Caskey, 09/09/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, David Walker, 09/09/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Cantor, Scott, 09/09/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Paul Caskey, 09/09/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/09/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Cantor, Scott, 09/09/2016
Archive powered by MHonArc 2.6.19.