Re: [Cellar] Secdir telechat review of draft-ietf-cellar-flac-12
Michael Richardson <mcr+ietf@sandelman.ca> Sat, 14 October 2023 18:05 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5A3C151532; Sat, 14 Oct 2023 11:05:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.886
X-Spam-Level:
X-Spam-Status: No, score=-6.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0k_px3VBSFbe; Sat, 14 Oct 2023 11:05:04 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 456CDC1AE9CE; Sat, 14 Oct 2023 11:03:48 -0700 (PDT)
Received: from dyas.sandelman.ca (unknown [75.98.19.151]) by relay.sandelman.ca (Postfix) with ESMTPS id 052C91F449; Sat, 14 Oct 2023 18:03:47 +0000 (UTC)
Received: by dyas.sandelman.ca (Postfix, from userid 1000) id C8D6FA135D; Sat, 14 Oct 2023 14:03:44 -0400 (EDT)
Received: from dyas (localhost [127.0.0.1]) by dyas.sandelman.ca (Postfix) with ESMTP id C5FD3A0B35; Sat, 14 Oct 2023 14:03:44 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Martijn van Beurden <mvanb1@gmail.com>, Robert Sparks <rjsparks@nostrum.com>, secdir@ietf.org, cellar@ietf.org, draft-ietf-cellar-flac.all@ietf.org, last-call@ietf.org
In-reply-to: <CADQbU6-1Kfa0Ds1C0=KpdSiQrJyRj9rMnz5=SXOWjdc5ZbSTng@mail.gmail.com>
References: <169713311153.6138.9326686722928543548@ietfa.amsl.com> <CADQbU6-1Kfa0Ds1C0=KpdSiQrJyRj9rMnz5=SXOWjdc5ZbSTng@mail.gmail.com>
Comments: In-reply-to Martijn van Beurden <mvanb1@gmail.com> message dated "Sat, 14 Oct 2023 15:35:07 +0200."
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 14 Oct 2023 14:03:44 -0400
Message-ID: <2862907.1697306624@dyas>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/AwduzkfBFA9AN7POfdc8ZBSHLuk>
Subject: Re: [Cellar] Secdir telechat review of draft-ietf-cellar-flac-12
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Oct 2023 18:05:15 -0000
Martijn van Beurden <mvanb1@gmail.com> wrote: > This has been a blind spot in the development of this document indeed. > I am not sure how to improve. Do you perhaps know of RFCs dealing with So, this is kind of similiar to whether or not email programs load remote resources when rendering HTML parts. Generally, they used to, and now they generally do not. I don't think that this change occured due to any *IETF* advice. If there was, then it would be great to cite that. > Retrieving resources via remote protocols can potentially be tracked, > exposing the user to a privacy risk. Also, such retrievals can be used > in a DDoS attack when the URI points to a potential victim. Therefore, > applications are RECOMMENDED to ask user approval for each retrieval > individually, and cache retrieved resources. I think that this is great, and put it into Security Considerations. I don't like seeing BCP14 text (RECOMMENDED) in Security Considerations myself. I would write: applications need to ask user approval for each retrieval individually, and cache retrieved resources. > Should I perhaps add a recommendation to show the user the URI when > asking for approval? Maybe an exception for user approval can be added > when the origin of the stream is known and the URL is same-origin as > per RFC 6454? This would be useful when streaming FLAC audio over the > internet. No, this is rather too specific. >> There should also be acknowledgment of the risks of allowing arbitrary >> content to be bundled into FLAC files, particularly in contexts where >> the MIME type defined in this document is used (web retrieval, >> multipart/mime in email, wherever else). How might this be used to >> circumvent content security policies at firewalls, for example? The >> document already acknowledges that executable code can appear here, >> but that's only one type of risk, and the discussion in the document >> steers quickly to the implication that the executable code is not >> malicious. Is it ever safe to actually execute such code? I think that this is an excessive concern. It only really applies to LookOut, which ignores MIME content, and tries to guess the content, and this has been a major security hole for literally decades. I just don't think this is our business. >> Nit issue: >> >> This is really almost editorial, but I'm pulling up here so that the >> SEC ADs see it early; It's a little odd to lean on RFC4732 they way >> the document does. I understand the intent, but it requires the >> reader to do some lateral thinking to apply that RFCs guidance to this >> document. Consider some words motivating how you are intending for it >> to apply here. >> > Looking back, I think I copied this straight from rfc6716, which is the > only other audio codec for which an RFC is written as far as I know. I > propose the following instead of that first sentence: > Implementations of the FLAC codec need to take appropriate security > considerations into account. Section 2.1 of [RFC4732] provides general > information on DoS attacks on end-systems and describes some mitigation > strategies. Areas of concern specific to FLAC follow. +1 >> More of a question than an issue, but I think the ADs consider the >> answer: Why isn't this document moving the registry currently at >> https://xiph.org/flac/id.html to IANA? >> > I think I brought this up during a working group meeting quite a while > ago as I felt unable to oversee the consequences of such a decision. I > can't find anything about it in the minutes, but there was at some > point a decision to not move it to the IANA. Sorry, I am not being > vague on purpose, I simply don't know whether it would be a good idea. We aren't taking over *FLAC* We are writing a way to put it into an EBML/Matroska container. The rest of the codes aren't ours, nor is the registry. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- *I*LIKE*TRAINS*
- [Cellar] Secdir telechat review of draft-ietf-cel… Robert Sparks via Datatracker
- Re: [Cellar] Secdir telechat review of draft-ietf… Martijn van Beurden
- Re: [Cellar] Secdir telechat review of draft-ietf… Michael Richardson