[rtcweb] Alexey Melnikov's Discuss on draft-ietf-rtcweb-security-arch-18: (with DISCUSS)

Alexey Melnikov <aamelnikov@fastmail.fm> Tue, 05 March 2019 09:52 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: rtcweb@ietf.org
Delivered-To: rtcweb@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2075E13105D; Tue, 5 Mar 2019 01:52:48 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-rtcweb-security-arch@ietf.org, Sean Turner <sean@sn3rd.com>, rtcweb-chairs@ietf.org, sean@sn3rd.com, rtcweb@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.92.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <155177956812.24656.14146723462005957233.idtracker@ietfa.amsl.com>
Date: Tue, 05 Mar 2019 01:52:48 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/HLv1Db77jKS5bvFXThQDQeWCj4Q>
Subject: [rtcweb] Alexey Melnikov's Discuss on draft-ietf-rtcweb-security-arch-18: (with DISCUSS)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 09:52:53 -0000

Alexey Melnikov has entered the following ballot position for
draft-ietf-rtcweb-security-arch-18: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-rtcweb-security-arch/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Thank you for a well written document!

My apologies for filing a procedural DISCUSS on this, but I am looking at:

7.5.  Determining the IdP URI

   3.  The path, starting with "/.well-known/idp-proxy/" and appended
       with the IdP protocol.  Note that the separator characters '/'
       (%2F) and '\' (%5C) MUST NOT be permitted in the protocol field,
       lest an attacker be able to direct requests outside of the
       controlled "/.well-known/" prefix.  Query and fragment values MAY
       be used by including '?' or '#' characters.

"idp-proxy" is not registered in the IANA's
<https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml>
registry and this document doesn't register it either. If I missed where this
is registered, please point me to the right document. If I haven't, please
register it in this document.