Re: SecDir review of draft-ietf-appsawg-file-scheme-14

[Barry Leiba <barryleiba@computer.org>]

Thanks, Matthew!

b

On Tue, Dec 6, 2016 at 7:03 PM Matthew Kerwin <matthew.kerwin@qut.edu.au>
wrote:

> Thanks Barry (and Paul),
>
> I agree with everything you've written here, and I don't think any of it's
> too controversial,  so I'll work it all in to my copy pretty much exactly
> as you've suggested.
>
> The acknowledgements is hung over from the very first versions of the
> draft, which cribbed a lot from Paul's old draft. I'm pretty sure it's been
> completely rewritten several times since then, so I will definitely redo
> the acks.
>
> Cheers
> --
> Matthew Kerwin  |  Queensland University of Technology  |
> matthew.kerwin@qut.edu.au  |  CRICOS No 00213J
> ________________________________
> From: barryleiba@gmail.com <barryleiba@gmail.com> on behalf of Barry
> Leiba <barryleiba@computer.org>
> Sent: 30 November 2016 04:49:12
> To: draft-ietf-appsawg-file-scheme.all@ietf.org; secdir@ietf.org
> Cc: IETF discussion list; art@ietf.org
> Subject: SecDir review of draft-ietf-appsawg-file-scheme-14
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> Thanks for finally getting this through.  I think the document is
> ready with nits; my detailed comments are below.
>
> It’s a tiny thing, but where the abstract says “replacing the
> definition in RFC 1738,” one may be led to think (I was) that 1738 has
> a more robust definition than it does.  D’you mind changing that to
> something like this: ‘This document provides a full specification of
> the "file" Uniform Resource Identifier (URI) scheme, replacing the
> very brief definition in Section 3.10 of RFC 1738.’
>
> The Security Considerations section is well thought out; thanks.  The
> only thing I can think of that might be added is a few words about
> non-local file URIs.  Section 3 says two significant things that
> should be highlighted in a security consideration:
> 1. A file URI can be dependably dereferenced or translated to a local
> file path only if it is local.
> 2. This specification neither defines nor forbids any set of
> operations that might be performed on a file identified by a non-local
> file URI.
>
> Given those two things, I think it would be worth explicitly saying
> that treating a non-local URI as local or otherwise attempting to
> perform local operations on a non-local URI can result in security
> problems.
>
> Matthew’s name and address will be on the RFC, of course, but is that
> really the best choice for contact information for the scheme in the
> registry?  Or would it be better to point people to “Applications and
> Real-Time Area <art@ietf.org>” ?  In general, we seem to have mixed
> feelings about listing individuals as contact points for things
> registered by working group documents (and I fall on the “avoid using
> specific individuals” side, because individuals often come and go over
> relatively short time).
>
> The “References” in the registry template should just be “this RFC”,
> and this RFC number will appear in the registry.
>
> A bit of process geekery:
> In the Acknowledgments, you say…
>    This specification is derived from [RFC1738], [RFC3986], and
>    [I-D.hoffman-file-uri] (expired); the acknowledgements in those
>    documents still apply.
>
> I don’t imagine there’s actually text from 1738 in here (is there?).
> How much text is here from 3986?  I’m not talking about concepts, but
> actual text that was brought over.  If there is, have you made sure
> that all authors of the documents you got text from agree to the terms
> of BCPs 78 & 79 ?  If not, there might need to be a pre-5378
> disclaimer in the boilerplate.  I suspect we’re OK, because we’re
> mostly talking about Larry, Roy, and TimBL, but I just wanted to
> check.
>
> (I personally think the acknowledgments text above is a bit much,
> unless you’ve really copied a lot of text from those RFCs.  But that’s
> your section to do with as you think best.)
>
> References:
> I don’t think BCP35 is normative, and I’d move it to informative.
> I don’t think UAX15 is normative, and I’d move it to informative.
> I think UTF-8 is normative (as you have it), but UNICODE is not.
> Others might disagree with that.
> I think I would make RFC 6454 normative, only because it’s listed as a
> reference for “the most secure option” in the Security Considerations.
>
> Barry
>