| Threat analysis update and WG last call. | <– Date –> <– Thread –> |
From: Mani, Mahalingam (Mani) (mmani avaya.com)
|
|
| Date: Thu, 11 Sep 2008 10:25:17 -0700 (PDT) | |
|
The following comment by Pasi Eronen against -03 version of
the draft (and a proposed alternate text – thanks Pasi): ===================================================== The text in Section 10.1.1.1 is pretty
good, but it still doesn't mention the vulnerabilities that arise if you try to
do zero configuration. Perhaps something like this? "It should be noted that
authorization and zero configuration are not fully compatible. Even if the WTPs
and the ACs are shipped with manufacturer-provided certificates, the WTPs need
to know who the correct AC is in this deployment (as opposed to other ACs from
the same vendor, purchased and controlled by an adversary), and the AC needs to
know which WTPs are part of this deployment (as opposed to WTPs purchased and
controlled by an adversary). The threat analysis in this document
assumes that WTPs can identify the correct AC, and the AC can identify the
correct WTPs. Analysis of situations where either of these
assumptions is not true is beyond the scope of this document." ===================================================== has been addressed in -04. This is a one-week WGLC call for this
change in -04 version of the threat analysis draft. If you have any comments on this response do post them
before September 19, 2008. Thanks, -mani ============= Mahalingam Mani |
-
Threat analysis update and WG last call. Mani, Mahalingam (Mani), September 11 2008
- WGLC Completed: Threat analysis update and WG last call. Mani, Mahalingam (Mani), September 19 2008
Results generated by Tiger Technologies using MHonArc.