Re: [secdir] draft-ietf-geopriv-policy-uri-02
Richard Barnes <rbarnes@bbn.com> Mon, 31 October 2011 14:03 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69E4421F8D77; Mon, 31 Oct 2011 07:03:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ICWiGimng7WJ; Mon, 31 Oct 2011 07:03:08 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id D8F1D21F8D75; Mon, 31 Oct 2011 07:03:08 -0700 (PDT)
Received: from [128.89.254.110] (port=60432) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1RKsS5-000Ioy-3t; Mon, 31 Oct 2011 10:03:01 -0400
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="iso-8859-1"
From: Richard Barnes <rbarnes@bbn.com>
In-Reply-To: <4EAE91E5.8090908@hyperthought.com>
Date: Mon, 31 Oct 2011 15:02:56 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <398CF9D4-9B2E-4237-A658-809E73CCD435@bbn.com>
References: <4EAD53ED.60802@hyperthought.com> <EA2977ED-9021-4929-9341-F235C40C84D7@bbn.com> <4EAE91E5.8090908@hyperthought.com>
To: "Scott G. Kelly" <scott@hyperthought.com>
X-Mailer: Apple Mail (2.1251.1)
Cc: draft-ietf-geopriv-policy-uri.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] draft-ietf-geopriv-policy-uri-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2011 14:03:09 -0000
>> <trimmed...>
>> Why isn't unauthorized manipulation of the policy information also listed as a risk? Actually, the second paragraph of the security considerations addresses this, ("The mechanism also needs to ensure that only authorized entities are able to acquire or alter policy."), but subsequent text seems to indicate that if the policy URI is not kept secret, there are no further protections.
>> Since we're talking about access control policy here, the effect of "manipulation of the policy information" is precisely "unauthorized disclosure of the protected resource". Does that clear thing sup?
>
> I see your point, but manipulation of policy information could also be used to prevent/deny disclosure too. As I noted below, I have no experience with these protocols, and this may not matter, but as a reviewer, I think I should mention it.
That's a fair point. How about this change to the text:
OLD: "The risk of unauthorized disclosure of the protected resource"
NEW: "The risk of unauthorized grants or denial of access to the protected resource"
>>> Am I missing something here, or is secrecy of the URI really the only protection against unauthorized policy manipulation? I have to admit that I have no experience with these protocols, and it may be that this is addressed elsewhere (or truly doesn't matter), but it does feel a bit off.
>>
>> You're exactly right in that understanding. The idea is that a policy URI is already controlling access control policy on something, so we didn't want to have access control policies for who can access policy URIs (turtles all the way down). That's the reason for all the text about keeping the policy URI secret.
>
> I didn't see any language suggesting that if one wishes to mitigate the resulting exposure, these URIs should probably be short-lived. Is that covered in one of the related docs? Again, not sure if this matters, but as the boilerplate suggests, the purpose of these secdir reviews is to let the security ADs (who presumably have much more context) know if there's anything they should be aware of, so I pointed it out. Lacking background and protocol expertise, I don't have any strong position of my own on this.
It's sort of covered in that policy URIs have the same lifetime as the underlying location URI, but there's not anything like a "key roll-over" mechanism. It seems to me like the current limitations are sufficient, but if the ADs feel differently, we can make changes.
- [secdir] draft-ietf-geopriv-policy-uri-02 Scott G. Kelly
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Richard Barnes
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Scott G. Kelly
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Richard Barnes
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Scott G. Kelly