[secdir] Secdir last call review of draft-ietf-httpbis-bcp56bis-12
Joseph Salowey via Datatracker <noreply@ietf.org> Sun, 25 July 2021 17:30 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F4C23A32E9; Sun, 25 Jul 2021 10:30:26 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Joseph Salowey via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-httpbis-bcp56bis.all@ietf.org, ietf-http-wg@w3.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.35.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <162723422613.4754.2816752947598222075@ietfa.amsl.com>
Reply-To: Joseph Salowey <joe@salowey.net>
Date: Sun, 25 Jul 2021 10:30:26 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/HbWgQY1V9rXXA0o9dcvSoutoIzw>
Subject: [secdir] Secdir last call review of draft-ietf-httpbis-bcp56bis-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jul 2021 17:30:26 -0000
Reviewer: Joseph Salowey Review result: Has Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is has issues The document is well written and very useful. There are a few issues I think need to be addressed. Major Issues: + I had trouble with section 4.12 Client Authentication which states: "Applications can use HTTP authentication Section 11 of [I-D.ietf-httpbis-semantics] to identify clients. The Basic authentication scheme [RFC7617] MUST NOT be used unless the underlying transport is authenticated, integrity-protected and confidential (e.g., as provided the "HTTPS" URI scheme, or another using TLS). The Digest scheme [RFC7616] MUST NOT be used unless the underlying transport is similarly secure, or the chosen hash algorithm is not "MD5"." I'm not sure what the "or chosen hash algorithm is not "MD5" is meant to say. What I think the document should say is: The Digest scheme [RFC7616] MUST NOT be used unless the underlying transport is similarly secure. The "MD5" digest algorithm MUST NOT be used. + There is a security consideration that I think the document should cover. Many HTTP based protocols make heavy use of bearer tokens, such as session cookies, for authentication and authorization purposes. This means that an attacker that can eavesdrop on HTTP communications can often escalate their privilege to perform operations on resources. I think you could add this to the security considerations: " Section 4.4.2 requires support for 'https' URLs, and discourages the use of 'http' URLs, to provide authentication, integrity and confidentiality, as well as mitigate pervasive monitoring attacks. Many HTTP based protocols make heavy use of bearer tokens, such as session cookies, for authentication and authorization purposes. This means that an attacker that can eavesdrop on HTTP communications can often escalate their privilege to perform operations on resources. " Minor Issues: + Section 4.5.1 - This could be a good place to mention RFC-8470 on TLS 1.3 early data which can also be a source of GET request replay
- [secdir] Secdir last call review of draft-ietf-ht… Joseph Salowey via Datatracker
- Re: [secdir] [Last-Call] Secdir last call review … Mark Nottingham
- Re: [secdir] [Last-Call] Secdir last call review … Joseph Salowey
- Re: [secdir] [Last-Call] Secdir last call review … Mark Nottingham
- Re: [secdir] [Last-Call] Secdir last call review … Joseph Salowey
- Re: [secdir] [Last-Call] Secdir last call review … Mark Nottingham
- Re: [secdir] [Last-Call] Secdir last call review … Mark Nottingham
- Re: [secdir] [Last-Call] Secdir last call review … Joseph Salowey