Re: [secdir] Security review of draft-hodges-webauthn-registries-05

Hilarie Orman <hilarie@purplestreak.com> Thu, 14 May 2020 17:26 UTC

Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F5953A0BC5; Thu, 14 May 2020 10:26:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_L5=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Iytc1gn32DB; Thu, 14 May 2020 10:25:59 -0700 (PDT)
Received: from out03.mta.xmission.com (out03.mta.xmission.com [166.70.13.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 503E93A0B66; Thu, 14 May 2020 10:25:59 -0700 (PDT)
Received: from in02.mta.xmission.com ([166.70.13.52]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <hilarie@purplestreak.com>) id 1jZHcK-0005BU-B7; Thu, 14 May 2020 11:25:56 -0600
Received: from [166.70.232.207] (helo=rumpleteazer.rhmr.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1jZHcF-00064H-6q; Thu, 14 May 2020 11:25:56 -0600
Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id 04EHMmsT006250; Thu, 14 May 2020 11:22:48 -0600
Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id 04EHMmh9006249; Thu, 14 May 2020 11:22:48 -0600
Date: Thu, 14 May 2020 11:22:48 -0600
Message-Id: <202005141722.04EHMmh9006249@rumpleteazer.rhmr.com>
From: "Hilarie Orman" <hilarie@purplestreak.com>
Reply-To: "Hilarie Orman" <hilarie@purplestreak.com>
To: Michael.Jones@microsoft.com
Cc: secdir@ietf.org, iesg@ietf.org, kaduk@mit.edu, draft-hodges-webauthn-registries.all@ietf.org
X-XM-SPF: eid=1jZHcF-00064H-6q; ; ; mid=<202005141722.04EHMmh9006249@rumpleteazer.rhmr.com>; ; ; hst=in02.mta.xmission.com; ; ; ip=166.70.232.207; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-AID: U2FsdGVkX18gWZ3mLH3TxAPWK/KkpwLD
X-SA-Exim-Connect-IP: 166.70.232.207
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: ; sa04 0; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: **;Michael.Jones@microsoft.com
X-Spam-Relay-Country:
X-Spam-Timing: total 4877 ms - load_scoreonly_sql: 0.15 (0.0%), signal_user_changed: 16 (0.3%), b_tie_ro: 13 (0.3%), parse: 1.96 (0.0%), extract_message_metadata: 34 (0.7%), get_uri_detail_list: 4.4 (0.1%), tests_pri_-1000: 9 (0.2%), tests_pri_-950: 1.92 (0.0%), tests_pri_-900: 1.46 (0.0%), tests_pri_-90: 61 (1.2%), check_bayes: 59 (1.2%), b_tokenize: 11 (0.2%), b_tok_get_all: 8 (0.2%), b_comp_prob: 4.0 (0.1%), b_tok_touch_all: 31 (0.6%), b_finish: 1.28 (0.0%), tests_pri_0: 831 (17.0%), check_dkim_signature: 0.99 (0.0%), check_dkim_adsp: 175 (3.6%), poll_dns_idle: 4026 (82.5%), tests_pri_10: 2.5 (0.1%), tests_pri_500: 3914 (80.3%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/KjvDc_R-WVn-3Rq3hVUsXm4uiUQ>
Subject: Re: [secdir] Security review of draft-hodges-webauthn-registries-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 17:26:02 -0000

The only nit, then, is that the URI was listed twice in section 6.2.  It is
listed in entry 6 and entry 9.

Hilarie

>  Thanks for the review, Hilarie.  My replies are inline below, prefixed by "Mike>".

>  -----Original Message-----
>  From: Hilarie Orman <hilarie@purplestreak.com> 
>  Sent: Monday, April 27, 2020 9:42 PM
>  To: iesg@ietf.org; secdir@ietf.org
>  Cc: draft-hodges-webauthn-registries.all@ietf.org
>  Subject: Security review of draft-hodges-webauthn-registries-05

>	  Security review of Registries for Web Authentication
>		  draft-hodges-webauthn-registries-05

>  Do not be alarmed.  I generated this review of this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts.  Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

>  This document establishes two registries required for the W3C Web Authentication system.  The registries are for the WebAuthn Attestation Statement Format Identifier and the WebAuthn Extension Identifier.

>  When submitted, these entries must be approved by an "expert" based on the specification that defines the parameters of the entry.  This includes "security considerations", which is good.  I don't quite see how submission of a request for a new entry gets routed to an expert, how experts come into being, etc., but I suppose that is a W3C procedure.

>  A couple of nits.

>  This url is listed twice in the URIs:
>  https://www.iana.org/assignments/webauthn
>  but it does not exist.  I expected at least a TBD message, unless the address itself is a placeholder.

>  Mike> The draft includes this TBD text "[[ Per discussions in an email thread between the authors and IANA ( "[IANA #1154148]" ), it is requested that the registries be located at <https://www.iana.org/assignments/webauthn>. RFC Editor - please delete this request after the registries have been created. ]]" before the two occurrences that you cite.

>  In 2.1
>  "The Experts(s) MAY also designate attestation
>     statement formats as proprietary if they lack complete
>     specifications, and will assign a prefix indicating as such to the
>     identifier."  
>  It is not clear what the format of that prefix is or how indicates "as such".  Is that an indication that it is proprietary or (and?) that it is incomplete?

>  Mike>  The text you cited is unnecessary for the purposes of the specification and will be deleted.

>  Hilarie

>  Mike> You can see proposed updated source for -06 at https://github.com/w3c/webauthn/pull/1415 .

>				   Thanks again,
>				   -- Mike