Re: [secdir] SECDIR review of draft-ietf-jcardcal-jcard-05
Stephen Kent <kent@bbn.com> Mon, 22 July 2013 15:11 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E77221E80C4; Mon, 22 Jul 2013 08:11:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AuNsZpAwxtv0; Mon, 22 Jul 2013 08:11:38 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id B6BB211E811E; Mon, 22 Jul 2013 08:11:24 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:44774 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1V1HlK-0007jN-Hd; Mon, 22 Jul 2013 11:10:59 -0400
Message-ID: <51ED4B82.300@bbn.com>
Date: Mon, 22 Jul 2013 11:10:58 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Philipp Kewisch <kewisch@gmail.com>
References: <51E6FB7C.2060106@bbn.com> <51EC3040.4000900@gmail.com>
In-Reply-To: <51EC3040.4000900@gmail.com>
Content-Type: multipart/alternative; boundary="------------030002080403000709060907"
Cc: secdir <secdir@ietf.org>, bert.greevenbosch@huawei.com, "jcardcal@ietf.org" <jcardcal@ietf.org>, stpeter@stpeter.im, Barry Leiba <barryleiba@computer.org>, Pete Resnick <presnick@qti.qualcomm.com>
Subject: Re: [secdir] SECDIR review of draft-ietf-jcardcal-jcard-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2013 15:11:44 -0000
Phillip, Thanks for the edits. They address my concerns. Steve -------- On 7/21/13 3:02 PM, Philipp Kewisch wrote: > > On 7/17/13 10:15 PM, Stephen Kent wrote: >> >> This document cites the Security Considerations section of original >> vCard RFC (noted above) as the primary content for its Security >> Considerations section. It asserts that no new security concerns >> arise with respect to _calendar data_, because this specification >> merely maps the original vCard data to a new format.However, it then >> cites the Security Considerations section of the JSON specification >> (RFC 4627) noting that there are additional security risks that arise >> from using JSON to represent vCard data! To me these two statements >> seem somewhat contradictory, but that can be addressed by refining >> the wording here. >> >> More worrisome is the fact that this very brief section mentions only >> calendar data security. Does that mean that no other type of vCard >> use, when using JSON encoding, creates any new security concerns? >> This document is much broader in scope than just iCal data (the >> subject of draft-ietf-jcardcal-jcal-07), so this narrowly focused >> comment seems out of place. >> > Yes, this was a copy/paste fail from the jCal draft. I've corrected > both instances of "calendar" to "vCard". > > OLD: > For security considerations specific to calendar data, see Section 9 > of [RFC6350]. Since this specification is a mapping from vCard, no > new security concerns are introduced related to calendar data. > > NEW: > For security considerations specific to vCard data, see Section 9 of > [RFC6350]. Since this specification is a mapping from vCard, no new > security concerns are introduced related to vCard data. > >> RFC 6350's Security Considerations section notes few concerns that >> are Vcard-specific; most of the comments in that section relate to >> the need to provide security for vCards when they are transported, >> e.g., via email. All of these concerns are equally applicable here, >> as indicated, without the calendar data comment. >> > Taken care of by the previous change. > >> RFC 4627's security considerations section turns out to be an >> indirect reference to two paragraphs in the IANA Considerations >> section! (This seems silly and it's not clear why that document was >> published with such an obvious structural error, but ...). The >> security concern cited in 4627 is that JavaScript (JS) is a scripting >> language and thus JSON might be used to execute malicious JS. However >> JSON is intended to be a "safe" subset of JS, i.e., it should be able >> to be evaluated in JS without security concerns, if it is properly >> constrained.The text in 4627 provides two regular expressions that >> can be invoked to strip any characters that might cause security >> problems. I'd feel a lot more comfortable if this text were >> explicitly replicated in this I-D, and the I-D _mandated_ this >> processing step before passing the Jcard data to JS. (It might even >> make sense as a post processing step as part of the vCard to JCard >> processing described in Section 3.) The level of indirection >> currently used in the Security Considerations section, and the casual >> advisory nature of the original text might easily be overlooked by an >> implementer. >> >> Finally, the notion of JSON as "safe" JS subset assumes that the >> parser processing the JSON does not have a security flaw. Such flaws >> have been identified, one as recently as February of this year. It >> might be good to note that this represents a new type of security >> concern that would not arise in a conventional vCard context. >> > As most popular JavaScript implementations use JSON.parse() for > parsing JSON data, I don't see the need to put this into Section 3. > I've changed the text to include the regex and a little more > information from what you wrote via email, let me know what you think: > > OLD: > The use of JSON as a format does have security risks. Section 7 of > [RFC4627] discusses these risks. > > NEW: > The use of JSON as a format does have security concerns. Even though > JSON is considered a safe subset of JavaScript, this does not ensure > that the parser processing JSON does not have a security flaw. When > processing jCard data, this concern should be taken into account as > it doesn't arise with conventional vCard data. > > As with JSON, when passing jCard data to JavaScript's eval() > function, certain precautions must be taken to ensure that no > security issues arise. Specifically, all characters not enclosed in > strings MUST exclusively be in the set of characters that form JSON > tokens. This can be quickly determined in JavaScript with two > regular expressions and calls to the test and replace methods. > > var my_jCal_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test( > text.replace(/"(\\.|[^"\\])*"/g, ''))) && > eval('(' + text + ')'); > > See also Section 7 of [RFC4627] for security considerations of the > JSON format.
- [secdir] SECDIR review of draft-ietf-jcardcal-jca… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Pete Resnick
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Philipp Kewisch
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Philipp Kewisch
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Stephen Kent