Re: additional core draft nits in need of WG attention.

To: sommerfeld%east.sun.com@localhost
Subject: Re: additional core draft nits in need of WG attention.
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: 10 Nov 2003 17:36:46 +0100

Bill Sommerfeld <sommerfeld%east.sun.com@localhost> writes:

> > >3.  Section 2, last paragraph. Setting the SHOULD for the timeout to 10
> > >minutes seems very long.  Doesn't it open up some denial-of-service
> > >attacks. The SHOULD for the timeout ought to be for interoperability.
> 
> I'm reluctant to change that.  First, it's a SHOULD, not a MUST..
> also, making it too short may cause issues for the handicapped
> (consider the combination of slow typing rate and high error rate..)

I don't think the specification of the timeout is essential at all.
There are lots of other non-standardized authentication timeouts out
there, with login-program, various kinds of http authentication, etc,
and there doesn't seem to be a big problem to leave this to local
policy.

I don't think the DOS issue is particularly relevant, given that
unathenticated users can force the server to perform the cpu-intensive
key exchange protocol.

It's nice with some guidelines in the spec, and ten minutes sounds
reasonable to me. But as far as I'm concernedm it could be degraded to
a RECOMMEND or ripped out totally, if that makes anybody happier.

/Niels

References:
- additional core draft nits in need of WG attention.
  - From: Bill Sommerfeld

Prev by Date: Re: additional core draft nits in need of WG attention.
Next by Date: Re: additional core draft nits in need of WG attention.
Previous by Thread: Re: additional core draft nits in need of WG attention.
Next by Thread: Re: additional core draft nits in need of WG attention.
Indexes:

Home | Main Index | Thread Index | Old Index