Re: [rtcweb] Alexey Melnikov's Discuss on draft-ietf-rtcweb-security-arch-18: (with DISCUSS)

Sean Turner <sean@sn3rd.com> Tue, 26 March 2019 10:28 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29F111202A3 for <rtcweb@ietfa.amsl.com>; Tue, 26 Mar 2019 03:28:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fx6kUEMaVrez for <rtcweb@ietfa.amsl.com>; Tue, 26 Mar 2019 03:28:33 -0700 (PDT)
Received: from mail-yw1-xc29.google.com (mail-yw1-xc29.google.com [IPv6:2607:f8b0:4864:20::c29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46A55120296 for <rtcweb@ietf.org>; Tue, 26 Mar 2019 03:28:31 -0700 (PDT)
Received: by mail-yw1-xc29.google.com with SMTP id e76so9346394ywa.9 for <rtcweb@ietf.org>; Tue, 26 Mar 2019 03:28:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7gyNh3wdL/SpHQ5pZH5qxnC/JbFc7z1m4qkrwFueyjM=; b=WWqTcJZEqV0g4vITawv9FBc5+HkP6DUCQGqx8+4PDKB5E78mUKp2C9lWDsIvrxtJfK ZfwGAERwqy7xQG16CHy2OCFlR0yuYI5j3sC+4Jr71CQSvI2rBNNXiQ9PqYE6O8q54MrD agltKzobJYYMI507K9UXJdoMmamhlzo9vDiNE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7gyNh3wdL/SpHQ5pZH5qxnC/JbFc7z1m4qkrwFueyjM=; b=L3O684/DpzmOjxJMoaBIdiJrx6JRHYC3lB0ZgMQojaV3wiAvtw0MjCiLcftsDdrM2g qUmEwCWB/20xGyujfUnpm4NCtItTmmLoZ31xrvEao6EW7RLgXvAwCM+R5PKKeZUmabQo S2PgCPd9RTW29Ve52HWY5XPZ0imZL+y3Frm2QAwdafAkEJCSXvL/uNZubuz/8pN3wX6K nG8wkcnvkcXReaflDDYC7vpg9PNDSLlMKAwAS0RtRLohUx50LhDxrvn3NCSHB2u/jHfD iBYPZ5c+LX9vXnvvR1FZbK56oOqApFs+PbSINfX8QiLR4u4rFd2VUxm/cZ5+8s6hl5pI /fcw==
X-Gm-Message-State: APjAAAXQCQW+uD+63ZvXIG2AFg2NZ83uMfgYf3rtT+MxMxzGeO+xPoI4 y7UUMr8LBU53KWHgXgoWJNU71Q==
X-Google-Smtp-Source: APXvYqw1OjCS6to3DsVjgBzm0A0tkexSxjx2yPxyKKjlOiLQW2C2TtpvZGivRBESh6lRH/glaW56Jg==
X-Received: by 2002:a25:a027:: with SMTP id x36mr24001465ybh.158.1553596110515; Tue, 26 Mar 2019 03:28:30 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:e5c5:793a:fbe8:db1c? ([2001:67c:370:128:e5c5:793a:fbe8:db1c]) by smtp.gmail.com with ESMTPSA id k189sm3730084ywa.48.2019.03.26.03.28.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Mar 2019 03:28:29 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <C0B8E09A-0D4E-4AE7-8074-79FB674713C6@sn3rd.com>
Date: Tue, 26 Mar 2019 11:28:26 +0100
Cc: The IESG <iesg@ietf.org>, rtcweb-chairs@ietf.org, RTCWeb IETF <rtcweb@ietf.org>, draft-ietf-rtcweb-security-arch@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E9ABEC6A-832C-42F5-A7FC-65AC0E79DA10@sn3rd.com>
References: <155177956812.24656.14146723462005957233.idtracker@ietfa.amsl.com> <2c600fc6-ca2c-2cd5-f677-6edcd0a6f3b7@nostrum.com> <C0B8E09A-0D4E-4AE7-8074-79FB674713C6@sn3rd.com>
To: Adam Roach <adam@nostrum.com>, Alexey Melnikov <aamelnikov@fastmail.fm>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/YmxlOSLm1lf-pg4g5DWnW0SHPhI>
Subject: Re: [rtcweb] Alexey Melnikov's Discuss on draft-ietf-rtcweb-security-arch-18: (with DISCUSS)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 10:28:35 -0000


> On Mar 7, 2019, at 02:31, Sean Turner <sean@sn3rd.com>; wrote:
> 
> 
> 
>> On Mar 7, 2019, at 04:37, Adam Roach <adam@nostrum.com>; wrote:
>> 
>> On 3/5/19 3:52 AM, Alexey Melnikov wrote:
>>> My apologies for filing a procedural DISCUSS on this, but I am looking at:
>>> 
>>> 7.5.  Determining the IdP URI
>>> 
>>>   3.  The path, starting with "/.well-known/idp-proxy/" and appended
>>>       with the IdP protocol.  Note that the separator characters '/'
>>>       (%2F) and '\' (%5C) MUST NOT be permitted in the protocol field,
>>>       lest an attacker be able to direct requests outside of the
>>>       controlled "/.well-known/" prefix.  Query and fragment values MAY
>>>       be used by including '?' or '#' characters.
>>> 
>>> "idp-proxy" is not registered in the IANA's
>>> <https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml>
>>> registry and this document doesn't register it either. If I missed where this
>>> is registered, please point me to the right document. If I haven't, please
>>> register it in this document.
>>> 
>> 
>> Good catch! Thanks.
>> 
>> /a
> 
> I submitted a PR:
> https://github.com/rtcweb-wg/security-arch/pull/86/files
> And fired off a message to the expert list.

The response from the DE:

From: Mark Nottingham <mnot@mnot.net>;
Date: Thu, 14 Mar 2019 14:53:35 +1100
Cc: wellknown-uri-review@ietf.org,
 draft-ietf-rtcweb-security-arch.all@ietf.org
To: Sean Turner <sean@sn3rd.com>;

Looks fine to me, although it'd be better to refer to 5785bis.

> On 7 Mar 2019, at 12:30 pm, Sean Turner <sean@sn3rd.com>; wrote:
>
> Hi! We=E2=80=99re looking to register idp-proxy.  It=E2=80=99s used =
in:
> https://datatracker.ietf.org/doc/draft-ietf-rtcweb-security-arch/
> We forgot to register it (Alexey caught it) and I submitted the
> following PR to add it:
> https://github.com/rtcweb-wg/security-arch/pull/86/files
> Let us know what you think.
>
> spt
> _______________________________________________
> wellknown-uri-review mailing list
> wellknown-uri-review@ietf.org
> https://www.ietf.org/mailman/listinfo/wellknown-uri-review