Re: [secdir] secdir review of draft-ietf-webdav-bind-23
Julian Reschke <julian.reschke@greenbytes.de> Tue, 02 June 2009 12:26 UTC
Return-Path: <julian.reschke@greenbytes.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0284B3A6CFC; Tue, 2 Jun 2009 05:26:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ATnRYmX+pasQ; Tue, 2 Jun 2009 05:26:13 -0700 (PDT)
Received: from donbot.greenbytes.de (mail.greenbytes.de [217.91.35.233]) by core3.amsl.com (Postfix) with ESMTP id 13DF43A6808; Tue, 2 Jun 2009 05:26:12 -0700 (PDT)
Received: from [192.168.1.106] (unknown [192.168.1.106]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by donbot.greenbytes.de (Postfix) with ESMTPSA id A177AC4C05A; Tue, 2 Jun 2009 14:26:12 +0200 (CEST)
Message-ID: <4A251A64.9050209@greenbytes.de>
Date: Tue, 02 Jun 2009 14:26:12 +0200
From: Julian Reschke <julian.reschke@greenbytes.de>
Organization: greenbytes GmbH
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060516 Thunderbird/1.5.0.4 Mnenhy/0.7.4.666
MIME-Version: 1.0
To: Tero Kivinen <kivinen@iki.fi>
References: <18981.1135.241220.933349@fireball.kivinen.iki.fi>
In-Reply-To: <18981.1135.241220.933349@fireball.kivinen.iki.fi>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: webdav-chairs@tools.ietf.org, draft-ietf-webdav-bind@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-webdav-bind-23
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2009 12:26:15 -0000
Hi Tero, Tero Kivinen wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > This document adds binding extensions to the WebDAV. Binding > extensions seem to be like hard links on unix file system i.e. > providing multiple bindings for same resource (and resource is freed > only when the last binding goes away). > > Security considerations section refers to the "HTTP/1.1 and the WebDAV > Distributed Authoring Protocol specification" and says that all > security considerations of them also applies to this document, but it > does not give explicit references to the documents containing those > security considerations. > ... I have fixed this in my copy of the draft; see <http://www.webdav.org/bind/draft-ietf-webdav-bind-latest.html#rfc.issue.sec-cons-references>. We can either produce a new draft after IESG review, or let this change wait until AUTH48. (My personal preference is to provide the RFC Editor with a draft that has as few pending changes as possible). > Bindings adds some new security concerns (privacy, loops, denial of > service etc.), and those issues seem to be adequately covered by the > security considerations section. > > One of the things I am not sure if it is really applicable here, but > which is not covered by the security considerations section is that > bindings might confuse administrator about access permissions. I.e. > even when administrator revokes all change permissions from certain > collection (i.e the user cannot change the data any more), if that > collection has binding pointing to some other collection or resource > where user still has permissions, the user might still be able to > change resources in the first collection even when administrator > believes he already removed permissions. > > I am not familiar enough with the WebDAV authorization model to know > if this kind of attacks are possible or not, i.e. I do not know if the > permissions are set per resource basis or for per collection or what. RFC 3744 (WebDAV ACLs) defines access privileges per resource, not per URI (see also <http://www.webdav.org/bind/draft-ietf-webdav-bind-24.html#rfc.section.9> and <http://greenbytes.de/tech/webdav/rfc3744.html#rfc.section.5.p.2>). Best regards, Julian -- <green/>bytes GmbH, Hafenweg 16, D-48155 Münster, Germany Amtsgericht Münster: HRB5782
- [secdir] secdir review of draft-ietf-webdav-bind-… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-webdav-b… Julian Reschke
- Re: [secdir] secdir review of draft-ietf-webdav-b… Tero Kivinen