[secdir] secdir review of draft-ietf-appsawg-xdash-03
"Scott G. Kelly" <scott@hyperthought.com> Fri, 09 March 2012 12:42 UTC
Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0E6A21F8655 for <secdir@ietfa.amsl.com>; Fri, 9 Mar 2012 04:42:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JbbQ9gsaSjqI for <secdir@ietfa.amsl.com>; Fri, 9 Mar 2012 04:42:41 -0800 (PST)
Received: from smtp112.iad.emailsrvr.com (smtp112.iad.emailsrvr.com [207.97.245.112]) by ietfa.amsl.com (Postfix) with ESMTP id 49B9A21F864B for <secdir@ietf.org>; Fri, 9 Mar 2012 04:42:41 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp51.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 8FC6E2043D; Fri, 9 Mar 2012 07:42:40 -0500 (EST)
X-Virus-Scanned: OK
Received: from dynamic9.wm-web.iad.mlsrvr.com (legacy7.wa-web.iad1a.rsapps.net [192.168.2.216]) by smtp51.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 6A51A20437; Fri, 9 Mar 2012 07:42:40 -0500 (EST)
Received: from hyperthought.com (localhost [127.0.0.1]) by dynamic9.wm-web.iad.mlsrvr.com (Postfix) with ESMTP id 3AE263200AF; Fri, 9 Mar 2012 07:42:40 -0500 (EST)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Fri, 9 Mar 2012 04:42:40 -0800 (PST)
Date: Fri, 09 Mar 2012 04:42:40 -0800
From: "Scott G. Kelly" <scott@hyperthought.com>
To: draft-ietf-appsawg-xdash.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
Message-ID: <1331296960.23996089@apps.rackspace.com>
X-Mailer: webmail7.0
Subject: [secdir] secdir review of draft-ietf-appsawg-xdash-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Mar 2012 12:42:42 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document deprecates the use of the "X-" prefix in application protocols (e.g. HTTP). The security considerations section says that issues with security-critical parameters can result in unnecessary vulnerabilities, and points the reader to an appendix for further discussion. The appendix says "Furthermore, often standardization of a non-standard parameter or protocol element leads to subtly different behavior (e.g., the standard version might have different security properties as a result of security review provided during the standardization process). If implementers treat the old, non-standard parameter and the new, standard parameter as equivalent, interoperability and security problems can ensue." I agree with the part about interoperability issues, but I think the security discussion is a bit more nuanced. In general, unauthenticated header fields are not reliable, and for this reason, it should not matter whether there is an X- prefix or not: you should not be basing security decisions on this. I can see where some parameters might *relate* to security somehow, but it seems that the associated data would be self-contained in terms of its security properties, in the same way that, e.g., an encapsulated CMS payload is self-contained. In such cases, it is true that there would be interop issues if the receiver mis-interpreted the payload, but in no event should the receiver be trusting something just because it has (or does not have) the X- prefix. I think this is very subtle, and after trying to compose a simple email I can see that it gets complex very quickly, so I don't want to rush into a rathole here. Still, I wonder if the security considerations should make the point that presence or lack of an X- prefix must not be relied upon for security decisions. --Scott
- [secdir] secdir review of draft-ietf-appsawg-xdas… Scott G. Kelly
- Re: [secdir] secdir review of draft-ietf-appsawg-… Peter Saint-Andre
- Re: [secdir] secdir review of draft-ietf-appsawg-… Peter Saint-Andre
- Re: [secdir] secdir review of draft-ietf-appsawg-… Peter Saint-Andre