[secdir] Security Directorate Review of draft-turner-clearancesponsor-attribute
Dave Cridland <dave.cridland@isode.com> Mon, 10 August 2009 20:53 UTC
Return-Path: <dave.cridland@isode.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78C793A68BF; Mon, 10 Aug 2009 13:53:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kHJmhk09s+CR; Mon, 10 Aug 2009 13:53:36 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id 6E6F63A62C1; Mon, 10 Aug 2009 13:53:36 -0700 (PDT)
Received: from puncture ((unknown) [217.155.137.60]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <SoCIwwB9YTG4@rufus.isode.com>; Mon, 10 Aug 2009 21:53:23 +0100
X-SMTP-Protocol-Errors: NORDNS
Message-Id: <8048.1249937599.500468@puncture>
Date: Mon, 10 Aug 2009 21:53:19 +0100
From: Dave Cridland <dave.cridland@isode.com>
To: Security Area Directorate <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-turner-clearancesponsor-attribute@tools.ietf.org
MIME-Version: 1.0
Content-Type: text/plain; delsp="yes"; charset="us-ascii"; format="flowed"
Subject: [secdir] Security Directorate Review of draft-turner-clearancesponsor-attribute
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2009 20:53:37 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. (I would note for the record that I roped in Kurt Zeilenga to check certain issues, but I nevertheless take full credit for any errors). This is a straighforward definition of an attribute suitable for X.509 certificates (either public key or attribute) or X.500/LDAP directory entries which carries the name of the clearance sponsor, that is, the entity which initiated and maintains the assignment of the clearance. I note that recent cases where a DirectoryName has been used with X.509 for authentication - in particular usage of the CommonName of the Subject Name - have been subjected to attacks using embedded NULs. Whilst presumably using the correct equality matching rule prevents this, it'd be nice to see that called out. (If the equality matching rule does not prevent this case, that's obviously more serious). Mandating that NUL is not a valid codepoint in this attribute would probably be useful, too. General notes: It's not entirely clear to me why one would want to consider this as part of an authorization check, unless one was attempting to match the name of the sponsor against a list of "known good" sponsors - that is, if a sponsor was subsequently revoked as a whole as being a suitable sponsor, one might want the sponsored clearances to be pulled as well. (It might be useful to note *why* one might want to do this, within the draft). However, it occurs to me that this kind of matching might be better done against an OID, such as one from the Enterprise arc, rather than a simple string, which might prove to be subject to human foibles. Dave. --
- [secdir] Security Directorate Review of draft-tur… Dave Cridland
- Re: [secdir] Security Directorate Review of draft… Sean Turner
- Re: [secdir] Security Directorate Review of draft… Kurt Zeilenga