IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-scim-core-schema-18

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 05 May 2015 07:21 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2451C1B2EBD; Tue, 5 May 2015 00:21:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id scoPDqOjryVd; Tue, 5 May 2015 00:21:37 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38BEC1B2EC0; Tue, 5 May 2015 00:21:37 -0700 (PDT)
Received: by widdi4 with SMTP id di4so134633393wid.0; Tue, 05 May 2015 00:21:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=q688npnWghBNS8lZazUtGyieTKeUp6xZwjsBqEGPW8Y=; b=GHS8liafJBRsMb0cJ9qQuVuhuZTZ0q+lG54BeRZhsuaegrk4vbSmS728cI++v2K1Uv OoesqCep6HpluTp6c3GfpKTsa6Jr7S4Jh0ZwqV4eTTMNcwKatjlYv0+xDxT5rshD2Mhd glHXM7tR8r55zgvzYl4y+MBq/q3ngJjumb2m+ReXXYcfoMjleHEYbW3ZRXuPq0+HXvse wCQHLuquiJOKxk7uW3wYo1I3lAcpt/jknm/4+YI3u04k+yllfewr8s9zqlWiEQQdmLgn QB5nEXm0EJU7oicTBlwWR1/vnRc4sSRZiCEdzka+pK9T8As2i8B+X+lJDzSHXn7cQogQ hogA==
X-Received: by 10.194.205.101 with SMTP id lf5mr8075116wjc.42.1430810495982; Tue, 05 May 2015 00:21:35 -0700 (PDT)
Received: from [10.67.44.90] (host86-187-25-174.range86-187.btcentralplus.com. [86.187.25.174]) by mx.google.com with ESMTPSA id kc4sm24116314wjc.2.2015.05.05.00.21.35 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 05 May 2015 00:21:35 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (11D257)
In-Reply-To: <5D457571-55CA-45D4-A9F4-9F1B8C96E6B4@cisco.com>
Date: Tue, 05 May 2015 08:21:35 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <5F34F5D3-8567-45DD-AB08-1AC173992B88@gmail.com>
References: <97FFF87E-5CFC-42BB-90A8-29DBE30C7772@cisco.com> <53991217-3DC8-4A97-9FCC-93B632D3C878@yahoo.com> <5D457571-55CA-45D4-A9F4-9F1B8C96E6B4@cisco.com>
To: "Brian Weis (bew)" <bew@cisco.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/0R4BPbngHYYmJ6Z27dv5BytsRvY>
Cc: Phil Hunt <phil.hunt@yahoo.com>, "draft-ietf-scim-core-schema.all@tools.ietf.org" <draft-ietf-scim-core-schema.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-scim-core-schema-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2015 07:21:39 -0000

Thanks for your review, Brian.  Inline.

Sent from my iPhone

> On May 4, 2015, at 8:26 PM, "Brian Weis (bew)" <bew@cisco.com> wrote:
> 
> Hi Phil,
> 
>> On May 4, 2015, at 11:45 AM, Phil Hunt <phil.hunt@yahoo.com> wrote:
>> 
>> Brian,
>> 
>> Thanks for taking time to review both the recent documents. My proposed corrections inline…
>> 
>> Phil
>> 
>> phil.hunt@yahoo.com
>> 
>>> On May 4, 2015, at 10:39 AM, Brian Weis (bew) <bew@cisco.com> wrote:
>>> 
>>> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
>>> 
>>> For the security area directions, I consider this document to be "Ready with nits”.
>>> 
>>> This document documents resources a JSON scheme for Cross-Domain Identity Management, a standard definition of attributes representing users and groups, and a set of named schemas incorporating these attributes. The goal of the document  is to make identity management in cloud based applications and services easier. This is used when identity information needs to be shared between services.
>>> 
>>> The Security Considerations (Section 9) in version 18 is reasonably clear in the first two sub-sections that there are risks to sensitive information defined in the schema, these sub-sections point to helpful text in draft-ietf-scim. It is much improved over version 17. I have a couple of comments suggesting clarification be added to the document.
>>> 
>>> Section 9.3 begins by stating the schema “defines attributes that MAY contain personally identifiable information as well as other sensitive data”. I don’t understand the “MAY”. Just about every attribute described in this document is arguably personally identifiable information (PII), since transporting PII between services seems to be the actual need for development of the schema. It seems more accurate to say “defines attributes that contain personally identifiable information as well as other sensitive data”. (Also “MAY” is intended to declare a part of the standard that is optional for an implementation, and I don’t see how that could apply here.)
>> You are right. The 2119 MAY is probably not appropriate. How about 
>> “defines attributes that are sensitive and may be considered personally identifiable information(PII).”
>> 
>> I think that inverts the emphasis getting people to realize that almost all data is likely at least sensitive.
> 
> That’s a fine way to state it, thanks.

Thanks for this change.  I haven't gotten to this draft yet and agree this was needed.
> 
>>> 
>>> Section 4.1.1 defines the “password” attribute as a “clear text password”. It is much safer to store and pass a salted and hashed password. Do none of the services using this schema support a method of hashing a user password to see if it matches a given hashed value ? Or could this be an option in the scheme definition? If so, it would be worth describing that here and in the Security Considerations section.
>> 
>> This may be a question of document structure.  We could copy/move the salting/hashing requirements to the schema definition. However, my thinking was the salting/hashing is not part of the protocol - thus should not be in the core spec sections. My thinking was that salting/hashing is really a security consideration for the implementer since it is a practical consideration of “using" the protocol.
>> 
>> I’m not sure what you mean by “pass a salted and hashed password” (may be I am mis-reading your intent). That would seem to be something to say must not be done since it implies multiple servers having a common salt/hash.  In LDAP, even replication passes the clear text but the servers only store replica unique salted hashes.
> 
> The distinction I’m making is the difference between a  clear text password (e.g., "t1meMa$heen”) and a hashed version of the password, which although still sensitive is considered to be safer. My hope would be for the schema to represent  both forms of passwords, because it would be a significant improvement in security. If this is the case, then it would be good to describe the use of the hashed password wherever you feel makes the most sense. If this is not the case, it would be worth mentioning in Security Considerations that hashed passwords are not supported, because the omission is likely to be surprising to some readers.

Yes, please do update this in this draft or include the warning.

Thanks,
Kathleen
> 
> Thanks,
> Brian 
> 
>> 
>>> 
>>> Brian
> 
> -- 
> Brian Weis
> Security, CSG, Cisco Systems
> Telephone: +1 408 526 4796
> Email: bew@cisco.com
>

v2.23.0 | Report a Bug | By Email