Re: [secdir] secdir review of draft-nottingham-http-link-header

Sean Turner <turners@ieca.com> Sun, 18 April 2010 18:45 UTC

Return-Path: <turners@ieca.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A87F28C140 for <secdir@core3.amsl.com>; Sun, 18 Apr 2010 11:45:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.915
X-Spam-Level:
X-Spam-Status: No, score=-0.915 tagged_above=-999 required=5 tests=[AWL=-0.917, BAYES_50=0.001, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OfZNNE2oV+5B for <secdir@core3.amsl.com>; Sun, 18 Apr 2010 11:45:57 -0700 (PDT)
Received: from smtp115.biz.mail.re2.yahoo.com (smtp115.biz.mail.re2.yahoo.com [66.196.116.35]) by core3.amsl.com (Postfix) with SMTP id C0B6C3A6B9F for <secdir@ietf.org>; Sun, 18 Apr 2010 11:45:53 -0700 (PDT)
Received: (qmail 36853 invoked from network); 18 Apr 2010 18:45:40 -0000
Received: from thunderfish.local (turners@96.231.123.45 with plain) by smtp115.biz.mail.re2.yahoo.com with SMTP; 18 Apr 2010 11:45:40 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: ORw5JXIVM1mFDrcf0koraq9yuEjndpP7KoQie3YNczXoPAlXVhIXa4vlVbnamhvZ3JxyDKvJDHfHVruB2dKnUheEnghdiKbYLbu0VX4jhyj_m8pwS.IYPM6RAzLjTrX7Injrvi.au8.ToyTBk0hjSS8Ix.gQSWIsDjulYfOUntDluHaNl5.ixaBXny_1cdN.g8XYAYqK74bIsTXXX36YbIzS1r2NK5X.p7smVgRQ.Czf4pmhkHYHzAEnbqvMBShJFsJ6SCOgA3mOMaf7nbtJ0Qe9D2U.lnf4gXXeyRar1AGbMizcjPwdGEmmjqn9cV8zVpi0gzmSrOV_QYki2uusN_Aik2Kos3v5Izw3wMuvQCcHmznPC9sfU1J._K.unNspp2ygQpqPyP5Szgm42KEXShP5yYYHELbXwH42xPD4h_46NVuyzSuF36TqE2a3wEBnaMAnSlgCtd6iipfbguJw6x.dhR2Wn3xw
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4BCB5353.902@ieca.com>
Date: Sun, 18 Apr 2010 14:45:39 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>
References: <4A7161C0.4040007@ieca.com> <6E228B34-B441-404E-8DDD-8CE46CEAED5E@mnot.net>
In-Reply-To: <6E228B34-B441-404E-8DDD-8CE46CEAED5E@mnot.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: draft-nottingham-http-link-header@tools.ietf.org, "Julian F. F. Reschke" <julian.reschke@gmx.de>, secdir <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-nottingham-http-link-header
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Apr 2010 18:45:58 -0000

I pretty much full on dropped the ball on this.

What I was hoping to see was some text that points to a mechanism that 
can be used to secure the Link header-entity field.

Also, (I stole these from RFC4287) I think you should point to security 
considerations of "stuff" used in this ID like IRIs, URIs, and HTTP 
headers.  Something like:

The Link entity-header field makes extensive use of IRIs and URIs.  See 
[RFC3987] for security considerations relating to IRIs.  See [RFC3987] 
for security considerations relating to URIs.   See [RFC2616] for 
security considerations relating to HTTP headers.

spt

Mark Nottingham wrote:
> Thanks, Sean.
> 
> I'm not sure how to incorporate your suggestion into the document; did 
> you have specific mechanisms in mind, and/or specific placement in the 
> draft?
> 
> Cheers,
> 
> 
> On 30/07/2009, at 7:02 PM, Sean Turner wrote:
> 
>> I have reviewed this document as part of the security directorate's 
>> ongoing effort to review all IETF documents being processed by the 
>> IESG.  These comments were written primarily for the benefit of the 
>> security area directors.  Document editors and WG chairs should treat 
>> these comments just like any other last call comments.
>>
>> Document: draft-nottingham-http-link-header-06.txt
>> Reviewer: Sean Turner
>> Review Date: 2009-07-30
>> IETF LC End Date: 2009-08-11
>> IESG Telechat date: N/A
>>
>> Summary: This document specifies relation types for Web links, and 
>> defines a registry for them.  It also defines how to send such links 
>> in HTTP headers with the Link header-field.
>>
>> Comments: The security considerations are pretty clear: the content of 
>> the fields aren't secured in any way. I think some text should be 
>> added that says something like "[Mechanism XYZ] can be combined with 
>> [protocol ABC] to provide the following security service: 1, 2, 3."
>>
>> spt
> 
> 
> -- 
> Mark Nottingham     http://www.mnot.net/
> 
>