[secdir] SECDIR Review of draft-zeilenga-ldap-dontusecopy-08

Phillip Hallam-Baker <hallam@gmail.com> Thu, 07 October 2010 00:42 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id E597D3A7015; Wed, 6 Oct 2010 17:42:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.397
X-Spam-Status: No, score=-2.397 tagged_above=-999 required=5 tests=[AWL=0.201, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id Zt1hiaDhdvUU; Wed, 6 Oct 2010 17:42:33 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com []) by core3.amsl.com (Postfix) with ESMTP id 0543A3A6EB3; Wed, 6 Oct 2010 17:42:31 -0700 (PDT)
Received: by wwj40 with SMTP id 40so143677wwj.13 for <multiple recipients>; Wed, 06 Oct 2010 17:43:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=6oluo8mEUCOg46O90oBTlK0LgvM2qsKzVrlytsRAWyQ=; b=t20vu5mpCioBetpElSt5FY61DAlE9x4BTuzO2hOPAtyRO5z4+pUpK1iWTuDTlrZ8Sx 6tgN1qwTUlGLs/MniCKt8w5IoIa2v49aw0fJrQ2HyppLOL08I0vBv5iIh95qM2qNtmbR rovJuCYcY5QtPiQscUe9s/n7tgmCLO4fGgj70=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=dpYlaMBajTpp5/XIYtVp686U/Osp+a6C3r9jXyzQfvzpgWg8wPBt4+FHqXdU1UrqjN mwezfRmjbcBB7nUeXqhvu1lLwcYH5Gd+058i5UTPHPt3ljBAGKvhrCuHB5VPbckiKmfc PaxeSVTa1no+mvS8P/1aFVKTAzvnGpNKz0l9o=
MIME-Version: 1.0
Received: by with SMTP id w57mr1572015wem.19.1286412192266; Wed, 06 Oct 2010 17:43:12 -0700 (PDT)
Received: by with HTTP; Wed, 6 Oct 2010 17:43:12 -0700 (PDT)
Date: Wed, 06 Oct 2010 20:43:12 -0400
Message-ID: <AANLkTi=MGYU+9WrYgq2aa47cnZ_+2aP0vBODKcPsbsxy@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: secdir@ietf.org, iesg@ietf.org, Kurt.Zeilenga@Isode.COM
Content-Type: multipart/alternative; boundary="001485f1e2e8c13a4d0491fc2d56"
Subject: [secdir] SECDIR Review of draft-zeilenga-ldap-dontusecopy-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2010 00:42:35 -0000

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This document describes what is essentially a 'send original, not cached
flag' for LDAP.

Only security issue I can see here is that the following does not give the
purpose very clearly.

4.  Security Considerations

  This control is intended to be provided where providing service using
  copied information might lead to unexpected application behavior.
  Designers of directory applications should consider where it is
  appropriate for clients to provide this control.  Designers should
  consider whether use of copied information, in particular security and
  policy information, may result insecure behavior.

I would suggest the following instead

4.  Security Considerations

  This control is intended to be provided where providing service using
  copied information might lead to unexpected application behavior.

  Use of the Don't Use Copy control may permit an attacker to perform
  or amplify a Denial of Service attack by causing additional server
  resources to be employed.

  LDAP is frequently used for storage and distribution of security
  sensitive information, including access control and security policy
  information. Failure to use the Don't Use Copy control may thus
  permit an attacker to gain unauthorized access by allowing reliance
  on stale data.

The meaning is unchanged, but the additional context might help the reader.

Website: http://hallambaker.com/