[secdir] [Fwd: SECDIR review of draft-ietf-vcarddav-webdav-mkcol-05.txt

Ran Canetti <canetti@post.tau.ac.il> Mon, 10 August 2009 04:54 UTC

Return-Path: <canetti@post.tau.ac.il>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 59B5C3A6AA1; Sun, 9 Aug 2009 21:54:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.74
X-Spam-Status: No, score=-0.74 tagged_above=-999 required=5 tests=[BAYES_20=-0.74]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id ZppMLI9W+LZr; Sun, 9 Aug 2009 21:54:35 -0700 (PDT)
Received: from doar.tau.ac.il (gate.tau.ac.il []) by core3.amsl.com (Postfix) with ESMTP id ACBD23A6D32; Sun, 9 Aug 2009 21:54:33 -0700 (PDT)
Received: from [] (unknown []) by doar.tau.ac.il (Postfix) with ESMTP id EAAA3BEF5; Mon, 10 Aug 2009 07:54:33 +0300 (IDT)
Message-ID: <4A7FA802.9040106@post.tau.ac.il>
Date: Mon, 10 Aug 2009 00:54:26 -0400
From: Ran Canetti <canetti@post.tau.ac.il>
User-Agent: Thunderbird (Windows/20090605)
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, iesg@ietf.org, cyrus@daboo.name
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [secdir] [Fwd: SECDIR review of draft-ietf-vcarddav-webdav-mkcol-05.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2009 04:54:36 -0000

***   I have reviewed this document as part of the security directorate's
***   ongoing effort to review all IETF documents being processed by the
***   IESG.  These comments were written primarily for the benefit of the
***   security area directors.  Document editors and WG chairs should treat
***   these comments just like any other last call comments.

The draft describes an update for the MKCOL request in WebDAV. The update
essentially allows for establishing a generic collection on the server (in 
XML), thus reducing the need for creating additional methods.

The document states that this generalization has no security implications.

I'm far from being a WebDAV or XML expert, and it might well be the case 
that the document is correct in this assertion. But, at least on the face 
of things, it seems that allowing clients to make generic XML MKCOL 
requests might make it harder for servers to protect against compromise by 
malicious clients. (At least some of the curbs that were put before, by 
forcing specific MKCOL requests per application, may now be removed.)  It 
might be good to discuss this potential concern and clarify its