Re: [secdir] SECDIR review of draft-ietf-jcardcal-jcard-05

Pete Resnick <> Wed, 17 July 2013 20:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DEC6121F9A4A for <>; Wed, 17 Jul 2013 13:24:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uZiLf59uQkR4 for <>; Wed, 17 Jul 2013 13:24:36 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 029FF21F99E9 for <>; Wed, 17 Jul 2013 13:24:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=qcdkim; t=1374092675; x=1405628675; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=h0+Fp2dxw9KWd7ZUE2BM2o9G5Jx4pD/jTChzLBTPGgg=; b=TJO3pAycxy24unbm2XazahQLs32gk7K3B9Ia6NI9AR7NG3HKfrcb5ihI PiQXS1cIMoMukbQIw/hZyGjxHqNMlQEeerZnFP7JC7BBJvCvmxAQHXQa1 dhQof+YImAL556XPV/H4UVvGrDSzoxCJihHx4svK2R+UajpQAvEq3OPWm I=;
X-IronPort-AV: E=Sophos; i="4.89,687,1367996400"; d="scan'208,217"; a="47588867"
Received: from ([]) by with ESMTP; 17 Jul 2013 13:24:35 -0700
X-IronPort-AV: E=Sophos; i="4.89,687,1367996400"; d="scan'208,217"; a="516139921"
Received: from ([]) by with ESMTP/TLS/RC4-SHA; 17 Jul 2013 13:24:35 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.2.318.4; Wed, 17 Jul 2013 13:24:34 -0700
Message-ID: <>
Date: Wed, 17 Jul 2013 15:24:30 -0500
From: Pete Resnick <>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7; en-US; rv: Gecko/20100630 Eudora/3.0.4
MIME-Version: 1.0
To: Stephen Kent <>
References: <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------070906010709060407090704"
X-Originating-IP: []
X-Mailman-Approved-At: Wed, 17 Jul 2013 13:31:12 -0700
Cc:, Barry Leiba <>,,, secdir <>
Subject: Re: [secdir] SECDIR review of draft-ietf-jcardcal-jcard-05
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Jul 2013 20:24:41 -0000


Are you OK with us forwarding this to the jcardcal mailing list? I think 
the entire list would benefit by seeing it.

You are correct that references to "calendar data" in section 7 are 
bogus. It should refer to "contact" or simply "vCard" data. Clearly all 
of us have been standing too close to the document.

Thanks for your comments. We will address them in the document.


On 7/17/13 3:15 PM, Stephen Kent wrote:
> SECDIR review of draft-ietf-jcardcal-jcard-05
> I reviewed this document as part of the security directorate's ongoing 
> effort to review all IETF documents being processed by the IESG. These 
> comments were written primarily for the benefit of the security area 
> directors. Document editors and WG chairs should treat these comments 
> just like any other last call comments.
> This document describes a JSON format for vCard data, as previously 
> defined in RFC 6350.
> This document cites the Security Considerations section of original 
> vCard RFC (noted above) as the primary content for its Security 
> Considerations section. It asserts that no new security concerns arise 
> with respect to _calendar data_, because this specification merely 
> maps the original vCard data to a new format. However, it then cites 
> the Security Considerations section of the JSON specification (RFC 
> 4627) noting that there are additional security risks that arise from 
> using JSON to represent vCard data! To me these two statements seem 
> somewhat contradictory, but that can be addressed by refining the 
> wording here.
> More worrisome is the fact that this very brief section mentions only 
> calendar data security. Does that mean that no other type of vCard 
> use, when using JSON encoding, creates any new security concerns? This 
> document is much broader in scope than just iCal data (the subject of 
> draft-ietf-jcardcal-jcal-07), so this narrowly focused comment seems 
> out of place.
> RFC 6350's Security Considerations section notes few concerns that are 
> Vcard-specific; most of the comments in that section relate to the 
> need to provide security for vCards when they are transported, e.g., 
> via email. All of these concerns are equally applicable here, as 
> indicated, without the calendar data comment.
> RFC 4627's security considerations section turns out to be an indirect 
> reference to two paragraphs in the IANA Considerations section! (This 
> seems silly and it's not clear why that document was published with 
> such an obvious structural error, but ...). The security concern cited 
> in 4627 is that JavaScript (JS) is a scripting language and thus JSON 
> might be used to execute malicious JS. However JSON is intended to be 
> a "safe" subset of JS, i.e., it should be able to be evaluated in JS 
> without security concerns, if it is properly constrained. The text in 
> 4627 provides two regular expressions that can be invoked to strip any 
> characters that might cause security problems. I'd feel a lot more 
> comfortable if this text were explicitly replicated in this I-D, and 
> the I-D _mandated_ this processing step before passing the Jcard data 
> to JS. (It might even make sense as a post processing step as part of 
> the vCard to JCard processing described in Section 3.) The level of 
> indirection currently used in the Security Considerations section, and 
> the casual advisory nature of the original text might easily be 
> overlooked by an implementer.
> Finally, the notion of JSON as "safe" JS subset assumes that the 
> parser processing the JSON does not have a security flaw. Such flaws 
> have been identified, one as recently as February of this year. It 
> might be good to note that this represents a new type of security 
> concern that would not arise in a conventional vCard context.

Pete Resnick<>
Qualcomm Technologies, Inc. - +1 (858)651-4478