@ll, I'm wondering what we have, if any, in resources to prevent URS replay attacks. The threat scenario we've made include access to the "Sent Items" folder of an URS Provider, without access to PGP information. With such access, domains that already received URS-Lock and URS-Suspend commands might be subject to lock or suspension again, even if there is not, at that time, an URS procedure ongoing. That could even happen with a new registrant of that domain. I couldn't find anything in the requirements or URS Provider RFIs that would generate information capable of mitigating this threat... am I missing something ? Rubens
On 1 Sep 2015, at 13:35, Rubens Kuhl wrote:
@ll,
I'm wondering what we have, if any, in resources to prevent URS replay attacks. The threat scenario we've made include access to the "Sent Items" folder of an URS Provider, without access to PGP information. With such access, domains that already received URS-Lock and URS-Suspend commands might be subject to lock or suspension again, even if there is not, at that time, an URS procedure ongoing. That could even happen with a new registrant of that domain.
I couldn't find anything in the requirements or URS Provider RFIs that would generate information capable of mitigating this threat... am I missing something ?
We keep track of the case IDs, so we would notice this to be a dupe. That said, I think your scenario is viable. Luis Muñoz Director, Registry Operations ____________________________ http://www.uniregistry.link/ 2161 San Joaquin Hills Road Newport Beach, CA 92660 Office +1 949 706 2300 x 4242 lem@uniregistry.link
Em 01/09/2015, à(s) 18:11:000, Luis E. Muñoz <lem@uniregistry.link> escreveu:
On 1 Sep 2015, at 13:35, Rubens Kuhl wrote:
@ll,
I'm wondering what we have, if any, in resources to prevent URS replay attacks. The threat scenario we've made include access to the "Sent Items" folder of an URS Provider, without access to PGP information. With such access, domains that already received URS-Lock and URS-Suspend commands might be subject to lock or suspension again, even if there is not, at that time, an URS procedure ongoing. That could even happen with a new registrant of that domain.
I couldn't find anything in the requirements or URS Provider RFIs that would generate information capable of mitigating this threat... am I missing something ?
We keep track of the case IDs, so we would notice this to be a dupe. That said, I think your scenario is viable.
Is there a requirement for URS Providers to mention case IDs in their requests ? Rubens
participants (2)
-
Luis E. Muñoz -
Rubens Kuhl