Re: [secdir] secdir review of draft-ietf-appsawg-xdash-03
Peter Saint-Andre <stpeter@stpeter.im> Mon, 12 March 2012 16:38 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FE0921E8012; Mon, 12 Mar 2012 09:38:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.723
X-Spam-Level:
X-Spam-Status: No, score=-102.723 tagged_above=-999 required=5 tests=[AWL=-0.124, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJPSEulit6Md; Mon, 12 Mar 2012 09:38:26 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id E6DA421E800E; Mon, 12 Mar 2012 09:38:25 -0700 (PDT)
Received: from dhcp-64-101-72-193.cisco.com (unknown [64.101.72.193]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 405ED40058; Mon, 12 Mar 2012 10:50:41 -0600 (MDT)
Message-ID: <4F5E267F.8070602@stpeter.im>
Date: Mon, 12 Mar 2012 10:38:23 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: "Scott G. Kelly" <scott@hyperthought.com>
References: <1331296960.23996089@apps.rackspace.com>
In-Reply-To: <1331296960.23996089@apps.rackspace.com>
X-Enigmail-Version: 1.3.5
OpenPGP: url=https://stpeter.im/stpeter.asc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-appsawg-xdash.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-appsawg-xdash-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2012 16:38:27 -0000
On 3/9/12 5:42 AM, Scott G. Kelly wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > This document deprecates the use of the "X-" prefix in application > protocols (e.g. HTTP). The security considerations section says that > issues with security-critical parameters can result in unnecessary > vulnerabilities, and points the reader to an appendix for further > discussion. The appendix says > > "Furthermore, often standardization of a non-standard parameter or > protocol element leads to subtly different behavior (e.g., the > standard version might have different security properties as a > result of security review provided during the standardization > process). If implementers treat the old, non-standard parameter and > the new, standard parameter as equivalent, interoperability and > security problems can ensue." > > I agree with the part about interoperability issues, but I think the > security discussion is a bit more nuanced. In general, > unauthenticated header fields are not reliable, and for this reason, > it should not matter whether there is an X- prefix or not: you should > not be basing security decisions on this. > > I can see where some parameters might *relate* to security somehow, > but it seems that the associated data would be self-contained in > terms of its security properties, in the same way that, e.g., an > encapsulated CMS payload is self-contained. > > In such cases, it is true that there would be interop issues if the > receiver mis-interpreted the payload, but in no event should the > receiver be trusting something just because it has (or does not have) > the X- prefix. > > I think this is very subtle, and after trying to compose a simple > email I can see that it gets complex very quickly, so I don't want to > rush into a rathole here. Still, I wonder if the security > considerations should make the point that presence or lack of an X- > prefix must not be relied upon for security decisions. Hi Scott, I see your point, but it's not clear to me that this document is the place to make a general statement about secure handling of application parameters. Further, not all parameters are header fields, so this is not a matter of headers vs. payloads. However, I do think there's an issue here, so I will think about it more today and perhaps reply again. Peter -- Peter Saint-Andre https://stpeter.im/
- [secdir] secdir review of draft-ietf-appsawg-xdas… Scott G. Kelly
- Re: [secdir] secdir review of draft-ietf-appsawg-… Peter Saint-Andre
- Re: [secdir] secdir review of draft-ietf-appsawg-… Peter Saint-Andre
- Re: [secdir] secdir review of draft-ietf-appsawg-… Peter Saint-Andre