Re: [rtcweb] Alexey Melnikov's Discuss on draft-ietf-rtcweb-security-arch-18: (with DISCUSS)

Sean Turner <sean@sn3rd.com> Thu, 07 March 2019 01:31 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5137A126F72 for <rtcweb@ietfa.amsl.com>; Wed, 6 Mar 2019 17:31:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bvmQx6uChcPH for <rtcweb@ietfa.amsl.com>; Wed, 6 Mar 2019 17:31:28 -0800 (PST)
Received: from mail-yw1-xc31.google.com (mail-yw1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B000131149 for <rtcweb@ietf.org>; Wed, 6 Mar 2019 17:31:26 -0800 (PST)
Received: by mail-yw1-xc31.google.com with SMTP id r188so11943652ywb.12 for <rtcweb@ietf.org>; Wed, 06 Mar 2019 17:31:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Z27UFaHAsizYnOqJsnUSAHauo6FpHvYIvVNa8y1MNiw=; b=fifeKf6vyBHZMshe2tCU3XIlU4DA5EvGgsq4MwusJGWH9XRuIGCYXU6JLmVdMqiyZ2 zh6fk1Jvu6RkH/zbNPXtjWrer0byBl8FBdawuLJBAiKWD3NNw/ZWhxGTr509gQCvYXJ7 tUzEMKo8DTxb4ABMGRe2Y1cU9nQ+PS1YOPNhQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Z27UFaHAsizYnOqJsnUSAHauo6FpHvYIvVNa8y1MNiw=; b=aLIzrHNEQaAEPLUiyj1Zqi/ia83osSasAXOTFEtuQtFQrbjD6jf01Etm9RFgujekfP eo5Ld/sjvas3F0Zcl1QTnAzKCfyliNFI2b1mCytYAinkM1A1/HmnUDFgoQvo5/DYYWjZ MNql2bflhW/8UjWEZIl1+/3V84sTKas4EUxvdYTG999DZsc+iJCPWXSznhjpZPL5VUEe RttSoDAz5c8N7XQnvQ9plPIL3hFdedVS4zqdpQtCkAbt8TEfxKOhTbGwGGRXdOjdpAF5 oAn6J85UwEIZ8m4/axQkhZmb79HA4RO3myhEwnRxHYfslLrij4/laKTpSMchPxUaZ0e3 uaXQ==
X-Gm-Message-State: APjAAAUCEvy3cSZ61pKfPl5ilN4oPEESDBgJkEljPyumiNZcCuYbGjlC SwsvFy6pw8lK++jbZ+vQcZIqmg==
X-Google-Smtp-Source: APXvYqySeIsKg9X+tRfJejz9uqgo4SjhfMaUCOKMsafeM2QnG98tGFge3J4wTqcgEN2F5wLXJb5BNg==
X-Received: by 2002:a25:61c8:: with SMTP id v191mr9202931ybb.489.1551922285454; Wed, 06 Mar 2019 17:31:25 -0800 (PST)
Received: from [5.5.33.87] ([204.194.23.17]) by smtp.gmail.com with ESMTPSA id b83sm1087806ywb.48.2019.03.06.17.31.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Mar 2019 17:31:24 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <2c600fc6-ca2c-2cd5-f677-6edcd0a6f3b7@nostrum.com>
Date: Thu, 7 Mar 2019 10:31:22 +0900
Cc: The IESG <iesg@ietf.org>, rtcweb-chairs@ietf.org, RTCWeb IETF <rtcweb@ietf.org>, draft-ietf-rtcweb-security-arch@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <C0B8E09A-0D4E-4AE7-8074-79FB674713C6@sn3rd.com>
References: <155177956812.24656.14146723462005957233.idtracker@ietfa.amsl.com> <2c600fc6-ca2c-2cd5-f677-6edcd0a6f3b7@nostrum.com>
To: Adam Roach <adam@nostrum.com>, Alexey Melnikov <aamelnikov@fastmail.fm>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/x4XstrMdVAC4Ah7aa_FB99bDX_Y>
Subject: Re: [rtcweb] Alexey Melnikov's Discuss on draft-ietf-rtcweb-security-arch-18: (with DISCUSS)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2019 01:31:29 -0000


> On Mar 7, 2019, at 04:37, Adam Roach <adam@nostrum.com>; wrote:
> 
> On 3/5/19 3:52 AM, Alexey Melnikov wrote:
>> My apologies for filing a procedural DISCUSS on this, but I am looking at:
>> 
>> 7.5.  Determining the IdP URI
>> 
>>    3.  The path, starting with "/.well-known/idp-proxy/" and appended
>>        with the IdP protocol.  Note that the separator characters '/'
>>        (%2F) and '\' (%5C) MUST NOT be permitted in the protocol field,
>>        lest an attacker be able to direct requests outside of the
>>        controlled "/.well-known/" prefix.  Query and fragment values MAY
>>        be used by including '?' or '#' characters.
>> 
>> "idp-proxy" is not registered in the IANA's
>> <https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml>
>> registry and this document doesn't register it either. If I missed where this
>> is registered, please point me to the right document. If I haven't, please
>> register it in this document.
>> 
> 
> Good catch! Thanks.
> 
> /a

I submitted a PR:
https://github.com/rtcweb-wg/security-arch/pull/86/files
And fired off a message to the expert list.

spt