[nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-xattrs-05: (with DISCUSS)

[Eric Rescorla <ekr@rtfm.com>]

Eric Rescorla has entered the following ballot position for
draft-ietf-nfsv4-xattrs-05: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-nfsv4-xattrs/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

      Since xattrs are application data, security issues are exactly
the
      same as those relating to the storing of file data and named
      attributes.  These are all various sorts of application data and
      the fact that the means of reference is slightly different in
each
      case should not be considered security-relevant.  As such, the
      additions to the NFS protocol for supporting extended attributes
      do not alter the security considerations of the NFSv4.2 protocol
      [RFC7862].

This seems inadequate. The issue is that if machine A writes some
extended attribute which is security relevant (i.e., this file is
only readable under certain conditions) and then machine B doesn't
know about the attribute, then you have a security problem on B
because it will not enforce it. It seems like FreeBSD uses extended
attributes for this purpose, so this isn't just theoretical.