Re: SecDir review of draft-ietf-appsawg-file-scheme-14

"Paul Hoffman" <paul.hoffman@vpnc.org> Tue, 29 November 2016 19:04 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 479D4129C31; Tue, 29 Nov 2016 11:04:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cc6Tz4Kvsk04; Tue, 29 Nov 2016 11:04:28 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64471129C29; Tue, 29 Nov 2016 11:04:28 -0800 (PST)
Received: from [10.32.60.81] (50-1-51-163.dsl.dynamic.fusionbroadband.com [50.1.51.163]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id uATJ44VU008806 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 29 Nov 2016 12:04:05 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-163.dsl.dynamic.fusionbroadband.com [50.1.51.163] claimed to be [10.32.60.81]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "Barry Leiba" <barryleiba@computer.org>
Subject: Re: SecDir review of draft-ietf-appsawg-file-scheme-14
Date: Tue, 29 Nov 2016 11:04:25 -0800
Message-ID: <C3D87929-9D00-49BC-85CB-801F1629AFC4@vpnc.org>
In-Reply-To: <CALaySJKTA9QXpm8JDzBdPKFuHGazqarHBryV7k3hZA+ObKjRCA@mail.gmail.com>
References: <CALaySJKTA9QXpm8JDzBdPKFuHGazqarHBryV7k3hZA+ObKjRCA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.6r5310)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/hazpPrhp5vwNlwKQ69-aINTHWdk>
Cc: art@ietf.org, draft-ietf-appsawg-file-scheme.all@ietf.org, IETF discussion list <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2016 19:04:30 -0000

On 29 Nov 2016, at 10:49, Barry Leiba wrote:

> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> Thanks for finally getting this through.  I think the document is
> ready with nits; my detailed comments are below.
>
> It’s a tiny thing, but where the abstract says “replacing the
> definition in RFC 1738,” one may be led to think (I was) that 1738 
> has
> a more robust definition than it does.  D’you mind changing that to
> something like this: ‘This document provides a full specification of
> the "file" Uniform Resource Identifier (URI) scheme, replacing the
> very brief definition in Section 3.10 of RFC 1738.’

Agree. (Humorously, I have some standing here; see below.)

>
> The Security Considerations section is well thought out; thanks.  The
> only thing I can think of that might be added is a few words about
> non-local file URIs.  Section 3 says two significant things that
> should be highlighted in a security consideration:
> 1. A file URI can be dependably dereferenced or translated to a local
> file path only if it is local.
> 2. This specification neither defines nor forbids any set of
> operations that might be performed on a file identified by a non-local
> file URI.
>
> Given those two things, I think it would be worth explicitly saying
> that treating a non-local URI as local or otherwise attempting to
> perform local operations on a non-local URI can result in security
> problems.

Agree.

> Matthew’s name and address will be on the RFC, of course, but is 
> that
> really the best choice for contact information for the scheme in the
> registry?  Or would it be better to point people to “Applications 
> and
> Real-Time Area <art@ietf.org>” ?  In general, we seem to have mixed
> feelings about listing individuals as contact points for things
> registered by working group documents (and I fall on the “avoid 
> using
> specific individuals” side, because individuals often come and go 
> over
> relatively short time).

Agree.

> The “References” in the registry template should just be “this 
> RFC”,
> and this RFC number will appear in the registry.
>
> A bit of process geekery:
> In the Acknowledgments, you say…
>    This specification is derived from [RFC1738], [RFC3986], and
>    [I-D.hoffman-file-uri] (expired); the acknowledgements in those
>    documents still apply.
>
> I don’t imagine there’s actually text from 1738 in here (is 
> there?).
> How much text is here from 3986?  I’m not talking about concepts, 
> but
> actual text that was brought over.  If there is, have you made sure
> that all authors of the documents you got text from agree to the terms
> of BCPs 78 & 79 ?  If not, there might need to be a pre-5378
> disclaimer in the boilerplate.  I suspect we’re OK, because we’re
> mostly talking about Larry, Roy, and TimBL, but I just wanted to
> check.
>
> (I personally think the acknowledgments text above is a bit much,
> unless you’ve really copied a lot of text from those RFCs.  But 
> that’s
> your section to do with as you think best.)

I remember that draft-hoffman-file-uri copied from 1739 and 3986. I also 
remember running away sobbing from the draft, so I appreciate that 
someone with more fortitude took it up again.

> References:
> I don’t think BCP35 is normative, and I’d move it to informative.
> I don’t think UAX15 is normative, and I’d move it to informative.
> I think UTF-8 is normative (as you have it), but UNICODE is not.
> Others might disagree with that.

I agree with all those.

> I think I would make RFC 6454 normative, only because it’s listed as 
> a
> reference for “the most secure option” in the Security 
> Considerations.

Sure.

--Paul Hoffman