Re: [calsify] [secdir] [Last-Call] Secdir last call review of draft-ietf-calext-ical-relations-08
Michael Douglass <mikeadouglass@gmail.com> Tue, 23 November 2021 04:45 UTC
Return-Path: <mikeadouglass@gmail.com>
X-Original-To: calsify@ietfa.amsl.com
Delivered-To: calsify@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3982E3A03F7; Mon, 22 Nov 2021 20:45:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.949
X-Spam-Level:
X-Spam-Status: No, score=-3.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a76uxk0Zq_n6; Mon, 22 Nov 2021 20:45:40 -0800 (PST)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94EA03A03ED; Mon, 22 Nov 2021 20:45:40 -0800 (PST)
Received: by mail-qv1-xf2e.google.com with SMTP id u16so14105005qvk.4; Mon, 22 Nov 2021 20:45:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to; bh=I6uTHhL+0+TPAuEj0X3WF6fbivKaNKJgey9OfsP26dQ=; b=mCC543wVSdDMfHBixuXYCqQdWe3Mlu857nzJ+JDPkMGEqcvteo3IsVMOwrwt3wV63I NNMPFGa457qdCp5A6vOxfz6j3fhBRYNtQ0eZdmC4G0qa9XK35vC92Mfwcm3EPUPosQ2K RjtXij9v5uuue77LlO6yihwWl5YtuwfI8biczVYTRK94LpyeHkDUHm4bhBX/Y0w00Sy7 L+t5ZBiq/Zn08aE3kK9YFPN7CHy67XcdlJkpYRtUKUF3VhwlKsO5CR7bdajXHqGVbMa0 JRgBh0NrI/6GYK/WLWje4pbefM6v2H/GYeG6uMDv+OB5/WkvtG0QSjcfUDnZzj5E8cfy cmPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to; bh=I6uTHhL+0+TPAuEj0X3WF6fbivKaNKJgey9OfsP26dQ=; b=DZkvbSlkAk0VI690pGm9BEbZYUCRi49OQopPCnv1RFtmzcTfh1pBV+50wvCC5mWPoP qsYwqJreHT+yocdNzXJxd/8c/mhrP14Fg8gaRMf09gTm573H8RgXgbuYmtEWASV08a5x sCKIe0RNxz44Aj4b3ZJglxe/pfjnC8VC6uRtpW/rr5M9EzVpFbC/MevxvkGwLfcGVAEM cGCWoBdIPbJQIg5jXKsChJ0m+5jgGZ0nC8B1Hj6jiZQv8KQ+ur+GxIzY3VKLfcxk94Mk JgjghX7fKdIHqUHkkc8syEaLNYy6+wQlNjChIuXgj8bUzH2nz+MpTmIbXNd5IW887xNv tc0g==
X-Gm-Message-State: AOAM530Ze2z8t9BumKzH7KkNkIdIQPYEoPBW4hyCPNwz7v0n9+fTeKeE KHvjQiE0qB6RRsQFxdk4AXA=
X-Google-Smtp-Source: ABdhPJxe2DkyoPxwSs1HulOOPwVvEdeyAhvxk7CYWBOWGk5nXh7XxxScLO2id4BI31G3gHp2apXziA==
X-Received: by 2002:a05:6214:c81:: with SMTP id r1mr2492556qvr.10.1637642739011; Mon, 22 Nov 2021 20:45:39 -0800 (PST)
Received: from [192.168.1.149] (cpe-74-70-70-237.nycap.res.rr.com. [74.70.70.237]) by smtp.googlemail.com with ESMTPSA id de40sm5692441qkb.99.2021.11.22.20.45.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 22 Nov 2021 20:45:38 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------0q7JSwO5GYsVn0cQ0Ti5uP4u"
Message-ID: <efd0bd0a-7261-a0f0-aa81-fc6b6dbce9f2@gmail.com>
Date: Mon, 22 Nov 2021 23:45:36 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Catherine Meadows <catherine.meadows@nrl.navy.mil>, secdir@ietf.org, draft-ietf-calext-ical-relations.all@ietf.org, last-call@ietf.org, calsify@ietf.org
References: <163527417024.2618.2790897732112692791@ietfa.amsl.com> <2f1455f9-f4a9-995d-3496-900d8f495cc8@gmail.com> <20211117015346.GI93060@kduck.mit.edu>
From: Michael Douglass <mikeadouglass@gmail.com>
In-Reply-To: <20211117015346.GI93060@kduck.mit.edu>
Archived-At: <https://mailarchive.ietf.org/arch/msg/calsify/bQvD_ymKKx8azY2EIN-YFnCaRSE>
Subject: Re: [calsify] [secdir] [Last-Call] Secdir last call review of draft-ietf-calext-ical-relations-08
X-BeenThere: calsify@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Calendaring and Scheduling Standards Simplification <calsify.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/calsify>, <mailto:calsify-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/calsify/>
List-Post: <mailto:calsify@ietf.org>
List-Help: <mailto:calsify-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/calsify>, <mailto:calsify-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Nov 2021 04:45:45 -0000
On 11/16/21 20:53, Benjamin Kaduk wrote:
> Hi Michael, Catherine,
>
> Catherine -- thanks for the review!
>
> Michael -- thanks for the proposed text. It's certainly better than
> nothing, and we could iterate further if needed.
> In particular, I wonder if we actually want to duplicate some of the
> considerations from RFC 3986 that also apply to XML references, such as the
> lack of a stability guarantee that fetching the referred-to resource will
> actually produce the same results over time and for all entities that might
> be performing the fetch operation.
Thanks Ben.
I can do that. Clearly the security section in RFC3986 is applicable to
any URI.
For XML documents it may also be the case that the reference is invalid
or becomes so over time.
=== OLD ===
10. Security Considerations
Applications using the LINK property need to be aware of the risks
entailed in using the URIs provided as values. See [RFC3986] for a
discussion of the security considerations relating to URIs.
The CONCEPT and redefined RELATED-TO property have the same issues in
that values may be URIs.
=== END OLD ===
=== NEW ===
10. Security Considerations
Applications using the LINK property need to be aware of the risks
entailed in using the URIs provided as values. See section 7 of
[RFC3986] for a discussion of the security considerations relating to
URIs.
In particular note section 7.1 "Reliability and Consistency" of
[RFC3986] which points out the lack of a stability guarantee for
referenced resources.
When the value is a REFERENCE type the targeted data is an XML
document or portion thereof. Consumers need to be aware of the
security issues related to XML processing - in particular those
related to XML entities. See [RFC4918] - Section 20.6. Additionally
note that the reference may be invalid or become so over time.
The CONCEPT and redefined RELATED-TO property have the same issues in
that values may be URIs.
=== END NEW ===
>
> Thanks,
>
> Ben
>
> On Mon, Nov 08, 2021 at 11:55:05AM -0500, Michael Douglass wrote:
>> On 10/26/21 14:49, Catherine Meadows via Datatracker wrote:
>>> Reviewer: Catherine Meadows
>>> Review result: Has Issues
>>>
>>> This draft describes increases the expressive and scope of relationships that
>>> can be defined in iCalendar. It updates the already existing RELATED-TO by
>>> allowing UID and URI as values and introduces a GAP parameter to specify the
>>> length of time between two events. It also introduces three new properties:
>>> CONCEPT (roughly, category), LINK (typed reference to external meta-data or
>>> related resources), and REFID(used to identify a key that identifies all
>>> components that use that REFID). The syntax of the relationships is given and
>>> intended use cases are described.
>>>
>>> The introduction of greater expressiveness does not by itself introduce
>>> security considerations, but the introduction of references to external sources
>>> does, specifically for URIs, which are allowed as arguments of the RELATED-TO,
>>> CONCEPT, and LINK properties. The authors of this document are aware of this,
>>> and refer the reader to [RFC3986] for more information. I agree that the
>>> security considerations related to use of URIs proposed in this draft are
>>> covered by this RFC.
>>>
>>> I wonder though, if the document shouldn’t concern a similar warning about the
>>> data type REFERENCE. This refers to an XML document or a portion of an XML
>>> document. Since XML can also be used as an attack vector, a mention in the
>>> Security Considerations Section would seem appropriate.
>> I agree with the sentiment. I thought it would be easy to find a
>> document with such a section - however the XML spec itself doesn't have
>> a security section. There is at least section 20.6 in RFC4918 (WebDAV)
>> which talks about external entities. Perhaps something like this:
>>
>> When the value is a REFERENCE type the targeted data is an XML document
>> or portion thereof. Consumers need to be aware of the security issues
>> related to XML processing - in particular those related to XML entities.
>> See RFC4918 - Section 20.6
>>
>>
>>
>>>
>>>
>> _______________________________________________
>> secdir mailing list
>> secdir@ietf.org
>> https://www.ietf.org/mailman/listinfo/secdir
>> wiki:https://trac.ietf.org/trac/sec/wiki/SecDirReview
- [calsify] Secdir last call review of draft-ietf-c… Catherine Meadows via Datatracker
- Re: [calsify] [Last-Call] Secdir last call review… Michael Douglass
- Re: [calsify] [secdir] [Last-Call] Secdir last ca… Benjamin Kaduk
- Re: [calsify] [secdir] [Last-Call] Secdir last ca… Michael Douglass
- Re: [calsify] [secdir] [Last-Call] Secdir last ca… Benjamin Kaduk