Re: [secdir] SECDIR review of draft-ietf-weirds-json-response-10
Andy Newton <andy@arin.net> Mon, 27 October 2014 22:57 UTC
Return-Path: <andy@arin.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55F741A1B8D; Mon, 27 Oct 2014 15:57:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ha_dV7Qf0ETn; Mon, 27 Oct 2014 15:57:08 -0700 (PDT)
Received: from smtp1.arin.net (smtp1.arin.net [IPv6:2001:500:4:13::33]) by ietfa.amsl.com (Postfix) with ESMTP id 3835A1A1BF5; Mon, 27 Oct 2014 15:56:36 -0700 (PDT)
Received: by smtp1.arin.net (Postfix, from userid 323) id BC66D16500E; Mon, 27 Oct 2014 18:56:35 -0400 (EDT)
Received: from chaedge01.corp.arin.net (chaedge01.corp.arin.net [192.149.252.118]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp1.arin.net (Postfix) with ESMTP id 3F376165008; Mon, 27 Oct 2014 18:56:35 -0400 (EDT)
Received: from CHACAS01.corp.arin.net (10.1.30.107) by chaedge01.corp.arin.net (192.149.252.118) with Microsoft SMTP Server (TLS) id 14.3.181.6; Mon, 27 Oct 2014 18:58:55 -0400
Received: from CHAMBX02.corp.arin.net ([fe80::905e:9b4d:2909:f55a]) by CHACAS01.corp.arin.net ([fe80::a98b:1e52:e85a:5979%13]) with mapi id 14.03.0181.006; Mon, 27 Oct 2014 18:56:28 -0400
From: Andy Newton <andy@arin.net>
To: Chris Inacio <inacio@cert.org>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-weirds-json-response.all@tools.ietf.org" <draft-ietf-weirds-json-response.all@tools.ietf.org>
Thread-Topic: SECDIR review of draft-ietf-weirds-json-response-10
Thread-Index: AQHP8Y1YaIwz5nPq40qGThlj74eNJZxEj12A
Date: Mon, 27 Oct 2014 22:56:27 +0000
Message-ID: <D0744202.3115A%andy@arin.net>
In-Reply-To: <F5B32DFF-FD3C-48A7-B24B-0232BFFA7127@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.7.130812
x-originating-ip: [192.149.252.96]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <481777CC68CEEB42BEE2D61C3833D1EB@corp.arin.net>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/8bGaJvMjD5Bva7bEvZo0Mx0-eaU
X-Mailman-Approved-At: Mon, 27 Oct 2014 17:29:44 -0700
Subject: Re: [secdir] SECDIR review of draft-ietf-weirds-json-response-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 22:57:16 -0000
Thanks for the review Chris. Comments are in-line... On 10/26/14, 10:25 PM, "Chris Inacio" <inacio@cert.org> wrote: >My only concern about the security considerations section is related to >self-references necessary in the responses to cache results. Is it >possible to create a poisoned cache based on the self-reference? What >should a client do in order to protect itself from such an attack. Yes, I guess cache poisoning is possible. Good catch! I plan to add the following paragraph to Section 5 where caching is described: Clients using ³self² links for caching SHOULD not cache any object class instances where the authority of the self link is different than the authority of the server returning the data. Failing to do so might result in cache poisoning. -andy
- [secdir] SECDIR review of draft-ietf-weirds-json-… Chris Inacio
- Re: [secdir] SECDIR review of draft-ietf-weirds-j… Andy Newton