[secdir] [Fwd: SECDIR review of draft-ietf-vcarddav-webdav-mkcol-05.txt
Ran Canetti <canetti@post.tau.ac.il> Mon, 10 August 2009 04:54 UTC
Return-Path: <canetti@post.tau.ac.il>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59B5C3A6AA1; Sun, 9 Aug 2009 21:54:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.74
X-Spam-Level:
X-Spam-Status: No, score=-0.74 tagged_above=-999 required=5 tests=[BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZppMLI9W+LZr; Sun, 9 Aug 2009 21:54:35 -0700 (PDT)
Received: from doar.tau.ac.il (gate.tau.ac.il [132.66.16.26]) by core3.amsl.com (Postfix) with ESMTP id ACBD23A6D32; Sun, 9 Aug 2009 21:54:33 -0700 (PDT)
Received: from [192.168.1.47] (unknown [96.237.134.182]) by doar.tau.ac.il (Postfix) with ESMTP id EAAA3BEF5; Mon, 10 Aug 2009 07:54:33 +0300 (IDT)
Message-ID: <4A7FA802.9040106@post.tau.ac.il>
Date: Mon, 10 Aug 2009 00:54:26 -0400
From: Ran Canetti <canetti@post.tau.ac.il>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, iesg@ietf.org, cyrus@daboo.name
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [secdir] [Fwd: SECDIR review of draft-ietf-vcarddav-webdav-mkcol-05.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2009 04:54:36 -0000
*** I have reviewed this document as part of the security directorate's *** ongoing effort to review all IETF documents being processed by the *** IESG. These comments were written primarily for the benefit of the *** security area directors. Document editors and WG chairs should treat *** these comments just like any other last call comments. The draft describes an update for the MKCOL request in WebDAV. The update essentially allows for establishing a generic collection on the server (in XML), thus reducing the need for creating additional methods. The document states that this generalization has no security implications. I'm far from being a WebDAV or XML expert, and it might well be the case that the document is correct in this assertion. But, at least on the face of things, it seems that allowing clients to make generic XML MKCOL requests might make it harder for servers to protect against compromise by malicious clients. (At least some of the curbs that were put before, by forcing specific MKCOL requests per application, may now be removed.) It might be good to discuss this potential concern and clarify its relevance/irrelevance. Best, Ran