draft-reschke-rfc2231-in-http security considerations

Graham Klyne <GK@ninebynine.org> Sat, 20 February 2010 08:00 UTC

Return-Path: <GK@ninebynine.org>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 781103A80CD for <apps-discuss@core3.amsl.com>; Sat, 20 Feb 2010 00:00:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.953
X-Spam-Level:
X-Spam-Status: No, score=-5.953 tagged_above=-999 required=5 tests=[AWL=-0.346, BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z8HTBAGBf5Fm for <apps-discuss@core3.amsl.com>; Sat, 20 Feb 2010 00:00:54 -0800 (PST)
Received: from relay0.mail.ox.ac.uk (relay0.mail.ox.ac.uk [129.67.1.161]) by core3.amsl.com (Postfix) with ESMTP id 713813A7D11 for <apps-discuss@ietf.org>; Sat, 20 Feb 2010 00:00:53 -0800 (PST)
Received: from smtp0.mail.ox.ac.uk ([129.67.1.205]) by relay0.mail.ox.ac.uk with esmtp (Exim 4.71) (envelope-from <GK@ninebynine.org>) id 1NikIU-0000SS-2f; Sat, 20 Feb 2010 08:02:42 +0000
Received: from gklyne.plus.com ([80.229.154.156] helo=Eskarina.local) by smtp0.mail.ox.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <GK@ninebynine.org>) id 1NikIU-0003LU-1t; Sat, 20 Feb 2010 08:02:42 +0000
Message-ID: <4B7E53B8.6070805@ninebynine.org>
Date: Fri, 19 Feb 2010 09:02:48 +0000
From: Graham Klyne <GK@ninebynine.org>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Julian Reschke <julian.reschke@gmx.de>
Subject: draft-reschke-rfc2231-in-http security considerations
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Oxford-Username: zool0635
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Feb 2010 08:00:55 -0000

Reviewing:
http://www.ietf.org/id/draft-reschke-rfc2231-in-http-09.txt

I note that the security considerations section says nothing about possible 
character "spoofing" - i.e. making a displayed prompt or value appear to be 
something other than it is.  E.g. Non-ASCII characters have been used to set up 
exploits involving dodgy URIs that may appear to a user to be legitimate.

#g