[secdir] Security review of draft-hodges-webauthn-registries-05

Hilarie Orman <hilarie@purplestreak.com> Tue, 28 April 2020 04:44 UTC

Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9005A3A08FD; Mon, 27 Apr 2020 21:44:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a4JZJmtQHvxJ; Mon, 27 Apr 2020 21:44:24 -0700 (PDT)
Received: from out03.mta.xmission.com (out03.mta.xmission.com [166.70.13.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19DBC3A08FC; Mon, 27 Apr 2020 21:44:24 -0700 (PDT)
Received: from in01.mta.xmission.com ([166.70.13.51]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <hilarie@purplestreak.com>) id 1jTI6Y-0002Ip-St; Mon, 27 Apr 2020 22:44:23 -0600
Received: from [166.70.232.207] (helo=rumpleteazer.rhmr.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1jTI6X-0003Zt-Nq; Mon, 27 Apr 2020 22:44:22 -0600
Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id 03S4fn2U001199; Mon, 27 Apr 2020 22:41:49 -0600
Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id 03S4fnUE001193; Mon, 27 Apr 2020 22:41:49 -0600
Date: Mon, 27 Apr 2020 22:41:49 -0600
Message-Id: <202004280441.03S4fnUE001193@rumpleteazer.rhmr.com>
From: Hilarie Orman <hilarie@purplestreak.com>
Reply-To: Hilarie Orman <hilarie@purplestreak.com>
To: iesg@ietf.org, secdir@ietf.org
Cc: draft-hodges-webauthn-registries.all@ietf.org
X-XM-SPF: eid=1jTI6X-0003Zt-Nq; ; ; mid=<202004280441.03S4fnUE001193@rumpleteazer.rhmr.com>; ; ; hst=in01.mta.xmission.com; ; ; ip=166.70.232.207; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-AID: U2FsdGVkX1/dqlDtCArYPnlN9dl2BXmH
X-SA-Exim-Connect-IP: 166.70.232.207
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ****;iesg@ietf.org, secdir@ietf.org
X-Spam-Relay-Country:
X-Spam-Timing: total 916 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 12 (1.3%), b_tie_ro: 10 (1.1%), parse: 0.88 (0.1%), extract_message_metadata: 13 (1.5%), get_uri_detail_list: 1.60 (0.2%), tests_pri_-1000: 3.6 (0.4%), tests_pri_-950: 1.20 (0.1%), tests_pri_-900: 0.98 (0.1%), tests_pri_-90: 512 (56.0%), check_bayes: 500 (54.6%), b_tokenize: 4.9 (0.5%), b_tok_get_all: 314 (34.3%), b_comp_prob: 2.3 (0.2%), b_tok_touch_all: 175 (19.1%), b_finish: 1.07 (0.1%), tests_pri_0: 358 (39.1%), check_dkim_signature: 0.45 (0.0%), check_dkim_adsp: 74 (8.0%), poll_dns_idle: 70 (7.7%), tests_pri_10: 3.1 (0.3%), tests_pri_500: 8 (0.9%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/BXYjOA0lZe5T8kRJm1A3S4mvsV8>
Subject: [secdir] Security review of draft-hodges-webauthn-registries-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 04:44:26 -0000

       Security review of Registries for Web Authentication
      	       draft-hodges-webauthn-registries-05

Do not be alarmed.  I generated this review of this document as part
of the security directorate's ongoing effort to review all IETF
documents being processed by the IESG.  These comments were written
with the intent of improving security requirements and considerations
in IETF drafts.  Comments not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs
should treat these comments just like any other last call comments.

This document establishes two registries required for the W3C Web
Authentication system.  The registries are for the WebAuthn
Attestation Statement Format Identifier and the WebAuthn Extension
Identifier.

When submitted, these entries must be approved by an "expert" based on
the specification that defines the parameters of the entry.  This
includes "security considerations", which is good.  I don't quite see
how submission of a request for a new entry gets routed to an expert,
how experts come into being, etc., but I suppose that is a W3C
procedure.

A couple of nits.

This url is listed twice in the URIs:
https://www.iana.org/assignments/webauthn
but it does not exist.  I expected at least a TBD message, unless the
address itself is a placeholder.

In 2.1
"The Experts(s) MAY also designate attestation
   statement formats as proprietary if they lack complete
   specifications, and will assign a prefix indicating as such to the
   identifier."  
It is not clear what the format of that prefix is or how indicates
"as such".  Is that an indication that it is proprietary or (and?)
that it is incomplete?

Hilarie