Re: [calsify] [secdir] [Last-Call] Secdir last call review of draft-ietf-calext-ical-relations-08
Benjamin Kaduk <kaduk@mit.edu> Tue, 23 November 2021 06:19 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: calsify@ietfa.amsl.com
Delivered-To: calsify@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A130F3A07CF; Mon, 22 Nov 2021 22:19:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRCRAl5DtdEV; Mon, 22 Nov 2021 22:19:17 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B0873A0799; Mon, 22 Nov 2021 22:19:16 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1AN6J5Fp019408 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 Nov 2021 01:19:10 -0500
Date: Mon, 22 Nov 2021 22:19:04 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Michael Douglass <mikeadouglass@gmail.com>
Cc: Catherine Meadows <catherine.meadows@nrl.navy.mil>, secdir@ietf.org, draft-ietf-calext-ical-relations.all@ietf.org, last-call@ietf.org, calsify@ietf.org
Message-ID: <20211123061904.GZ93060@kduck.mit.edu>
References: <163527417024.2618.2790897732112692791@ietfa.amsl.com> <2f1455f9-f4a9-995d-3496-900d8f495cc8@gmail.com> <20211117015346.GI93060@kduck.mit.edu> <efd0bd0a-7261-a0f0-aa81-fc6b6dbce9f2@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <efd0bd0a-7261-a0f0-aa81-fc6b6dbce9f2@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/calsify/aDg6OK2DcudoDhkru-07jD8zZO8>
Subject: Re: [calsify] [secdir] [Last-Call] Secdir last call review of draft-ietf-calext-ical-relations-08
X-BeenThere: calsify@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Calendaring and Scheduling Standards Simplification <calsify.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/calsify>, <mailto:calsify-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/calsify/>
List-Post: <mailto:calsify@ietf.org>
List-Help: <mailto:calsify-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/calsify>, <mailto:calsify-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Nov 2021 06:19:22 -0000
Hi Michael, Looks great. Many thanks for putting it together! -Ben On Mon, Nov 22, 2021 at 11:45:36PM -0500, Michael Douglass wrote: > > On 11/16/21 20:53, Benjamin Kaduk wrote: > > Hi Michael, Catherine, > > > > Catherine -- thanks for the review! > > > > Michael -- thanks for the proposed text. It's certainly better than > > nothing, and we could iterate further if needed. > > In particular, I wonder if we actually want to duplicate some of the > > considerations from RFC 3986 that also apply to XML references, such as the > > lack of a stability guarantee that fetching the referred-to resource will > > actually produce the same results over time and for all entities that might > > be performing the fetch operation. > > Thanks Ben. > > I can do that. Clearly the security section in RFC3986 is applicable to > any URI. > > For XML documents it may also be the case that the reference is invalid > or becomes so over time. > > === OLD === > > 10. Security Considerations > > Applications using the LINK property need to be aware of the risks > entailed in using the URIs provided as values. See [RFC3986] for a > discussion of the security considerations relating to URIs. > > The CONCEPT and redefined RELATED-TO property have the same issues in > that values may be URIs. > > === END OLD === > > === NEW === > > 10. Security Considerations > > Applications using the LINK property need to be aware of the risks > entailed in using the URIs provided as values. See section 7 of > [RFC3986] for a discussion of the security considerations relating to > URIs. > > In particular note section 7.1 "Reliability and Consistency" of > [RFC3986] which points out the lack of a stability guarantee for > referenced resources. > > When the value is a REFERENCE type the targeted data is an XML > document or portion thereof. Consumers need to be aware of the > security issues related to XML processing - in particular those > related to XML entities. See [RFC4918] - Section 20.6. Additionally > note that the reference may be invalid or become so over time. > > The CONCEPT and redefined RELATED-TO property have the same issues in > that values may be URIs. > > === END NEW === > > > > > Thanks, > > > > Ben > > > > On Mon, Nov 08, 2021 at 11:55:05AM -0500, Michael Douglass wrote: > >> On 10/26/21 14:49, Catherine Meadows via Datatracker wrote: > >>> Reviewer: Catherine Meadows > >>> Review result: Has Issues > >>> > >>> This draft describes increases the expressive and scope of relationships that > >>> can be defined in iCalendar. It updates the already existing RELATED-TO by > >>> allowing UID and URI as values and introduces a GAP parameter to specify the > >>> length of time between two events. It also introduces three new properties: > >>> CONCEPT (roughly, category), LINK (typed reference to external meta-data or > >>> related resources), and REFID(used to identify a key that identifies all > >>> components that use that REFID). The syntax of the relationships is given and > >>> intended use cases are described. > >>> > >>> The introduction of greater expressiveness does not by itself introduce > >>> security considerations, but the introduction of references to external sources > >>> does, specifically for URIs, which are allowed as arguments of the RELATED-TO, > >>> CONCEPT, and LINK properties. The authors of this document are aware of this, > >>> and refer the reader to [RFC3986] for more information. I agree that the > >>> security considerations related to use of URIs proposed in this draft are > >>> covered by this RFC. > >>> > >>> I wonder though, if the document shouldn’t concern a similar warning about the > >>> data type REFERENCE. This refers to an XML document or a portion of an XML > >>> document. Since XML can also be used as an attack vector, a mention in the > >>> Security Considerations Section would seem appropriate. > >> I agree with the sentiment. I thought it would be easy to find a > >> document with such a section - however the XML spec itself doesn't have > >> a security section. There is at least section 20.6 in RFC4918 (WebDAV) > >> which talks about external entities. Perhaps something like this: > >> > >> When the value is a REFERENCE type the targeted data is an XML document > >> or portion thereof. Consumers need to be aware of the security issues > >> related to XML processing - in particular those related to XML entities. > >> See RFC4918 - Section 20.6 > >> > >> > >> > >>> > >>> > >> _______________________________________________ > >> secdir mailing list > >> secdir@ietf.org > >> https://www.ietf.org/mailman/listinfo/secdir > >> wiki:https://trac.ietf.org/trac/sec/wiki/SecDirReview
- [calsify] Secdir last call review of draft-ietf-c… Catherine Meadows via Datatracker
- Re: [calsify] [Last-Call] Secdir last call review… Michael Douglass
- Re: [calsify] [secdir] [Last-Call] Secdir last ca… Benjamin Kaduk
- Re: [calsify] [secdir] [Last-Call] Secdir last ca… Michael Douglass
- Re: [calsify] [secdir] [Last-Call] Secdir last ca… Benjamin Kaduk