Re: [secdir] Secdir review of draft-ietf-scim-core-schema-18
"Brian Weis (bew)" <bew@cisco.com> Mon, 04 May 2015 19:26 UTC
Return-Path: <bew@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A07AD1ACE92; Mon, 4 May 2015 12:26:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kkJIL6ixTCi8; Mon, 4 May 2015 12:26:57 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF98B1ACE91; Mon, 4 May 2015 12:26:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4685; q=dns/txt; s=iport; t=1430767618; x=1431977218; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=QX4zk6aEeB5K9MSLhlXyHRic80Jz4RqjyqDFbmbxLqU=; b=J2FO5MAc+iBkK8A9EMNaGkiJfuCvxJEg5WFgHhZ0ITO197c98P+01DRo z+jHelzzk0OQLLmdhGY6btNZ63Caj0CfCTTcfe40G+oBU/RjiWH5QQ1H7 2k7+hYaD05x6txnZIKnLTLGxMDXtAgf+uX2WXLKPnPX4OUBV3uYruXzXI c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ALBQAOx0dV/5BdJa1TBgODDIEvBbcTljYCgTFMAQEBAQEBgQuEIAEBAQMBeQULAgEIGBgWMhMSAgQOBYgXAwkIxg8BAQEBAQEBAQEBAQEBAQEBAQEBAQEXizmCTYFVBwoBHiMQBxEHgn+BFgEEhTwKjEeJA4FPgSSOGoMOg1IjgWUhHYFRb4ELOYEBAQEB
X-IronPort-AV: E=Sophos;i="5.13,367,1427760000"; d="scan'208";a="416963010"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-5.cisco.com with ESMTP; 04 May 2015 19:26:57 +0000
Received: from xhc-aln-x06.cisco.com (xhc-aln-x06.cisco.com [173.36.12.80]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id t44JQtaN006474 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 4 May 2015 19:26:55 GMT
Received: from xmb-aln-x04.cisco.com ([169.254.9.236]) by xhc-aln-x06.cisco.com ([173.36.12.80]) with mapi id 14.03.0195.001; Mon, 4 May 2015 14:26:55 -0500
From: "Brian Weis (bew)" <bew@cisco.com>
To: Phil Hunt <phil.hunt@yahoo.com>
Thread-Topic: Secdir review of draft-ietf-scim-core-schema-18
Thread-Index: AQHQhpFRcajFEh9bqUu5ZrnFZSPoL51se4mAgAALtAA=
Date: Mon, 04 May 2015 19:26:55 +0000
Message-ID: <5D457571-55CA-45D4-A9F4-9F1B8C96E6B4@cisco.com>
References: <97FFF87E-5CFC-42BB-90A8-29DBE30C7772@cisco.com> <53991217-3DC8-4A97-9FCC-93B632D3C878@yahoo.com>
In-Reply-To: <53991217-3DC8-4A97-9FCC-93B632D3C878@yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.32.244.211]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <B0B1051B4ABACE47BB217C732F934780@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/GXwgDrsgBVYzsAZydHlmAgmJH8s>
Cc: "draft-ietf-scim-core-schema.all@tools.ietf.org" <draft-ietf-scim-core-schema.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-scim-core-schema-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 19:26:58 -0000
Hi Phil, On May 4, 2015, at 11:45 AM, Phil Hunt <phil.hunt@yahoo.com> wrote: > Brian, > > Thanks for taking time to review both the recent documents. My proposed corrections inline… > > Phil > > phil.hunt@yahoo.com > >> On May 4, 2015, at 10:39 AM, Brian Weis (bew) <bew@cisco.com> wrote: >> >> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. >> >> For the security area directions, I consider this document to be "Ready with nits”. >> >> This document documents resources a JSON scheme for Cross-Domain Identity Management, a standard definition of attributes representing users and groups, and a set of named schemas incorporating these attributes. The goal of the document is to make identity management in cloud based applications and services easier. This is used when identity information needs to be shared between services. >> >> The Security Considerations (Section 9) in version 18 is reasonably clear in the first two sub-sections that there are risks to sensitive information defined in the schema, these sub-sections point to helpful text in draft-ietf-scim. It is much improved over version 17. I have a couple of comments suggesting clarification be added to the document. >> >> Section 9.3 begins by stating the schema “defines attributes that MAY contain personally identifiable information as well as other sensitive data”. I don’t understand the “MAY”. Just about every attribute described in this document is arguably personally identifiable information (PII), since transporting PII between services seems to be the actual need for development of the schema. It seems more accurate to say “defines attributes that contain personally identifiable information as well as other sensitive data”. (Also “MAY” is intended to declare a part of the standard that is optional for an implementation, and I don’t see how that could apply here.) > You are right. The 2119 MAY is probably not appropriate. How about > “defines attributes that are sensitive and may be considered personally identifiable information(PII).” > > I think that inverts the emphasis getting people to realize that almost all data is likely at least sensitive. That’s a fine way to state it, thanks. >> >> Section 4.1.1 defines the “password” attribute as a “clear text password”. It is much safer to store and pass a salted and hashed password. Do none of the services using this schema support a method of hashing a user password to see if it matches a given hashed value ? Or could this be an option in the scheme definition? If so, it would be worth describing that here and in the Security Considerations section. > > This may be a question of document structure. We could copy/move the salting/hashing requirements to the schema definition. However, my thinking was the salting/hashing is not part of the protocol - thus should not be in the core spec sections. My thinking was that salting/hashing is really a security consideration for the implementer since it is a practical consideration of “using" the protocol. > > I’m not sure what you mean by “pass a salted and hashed password” (may be I am mis-reading your intent). That would seem to be something to say must not be done since it implies multiple servers having a common salt/hash. In LDAP, even replication passes the clear text but the servers only store replica unique salted hashes. The distinction I’m making is the difference between a clear text password (e.g., "t1meMa$heen”) and a hashed version of the password, which although still sensitive is considered to be safer. My hope would be for the schema to represent both forms of passwords, because it would be a significant improvement in security. If this is the case, then it would be good to describe the use of the hashed password wherever you feel makes the most sense. If this is not the case, it would be worth mentioning in Security Considerations that hashed passwords are not supported, because the omission is likely to be surprising to some readers. Thanks, Brian > >> >> Brian -- Brian Weis Security, CSG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com
- [secdir] Secdir review of draft-ietf-scim-core-sc… Brian Weis (bew)
- Re: [secdir] Secdir review of draft-ietf-scim-cor… Brian Weis (bew)
- Re: [secdir] Secdir review of draft-ietf-scim-cor… Brian Weis (bew)
- Re: [secdir] Secdir review of draft-ietf-scim-cor… Kathleen Moriarty
- [secdir] Secdir review of draft-hallambaker-tlsfe… Tina TSOU
- Re: [secdir] Secdir review of draft-ietf-scim-cor… Phil Hunt
- Re: [secdir] Secdir review of draft-ietf-scim-cor… Phil Hunt