[secdir] secdir review of draft-ietf-httpbis-p4-conditional-19

Klaas Wierenga <klaas@cisco.com> Mon, 23 April 2012 13:51 UTC

Return-Path: <klaas@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5C1C621F84E2; Mon, 23 Apr 2012 06:51:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id t+qW6bIBrGVr; Mon, 23 Apr 2012 06:51:07 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com []) by ietfa.amsl.com (Postfix) with ESMTP id D849521F8464; Mon, 23 Apr 2012 06:51:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5607; q=dns/txt; s=iport; t=1335189066; x=1336398666; h=message-id:date:from:mime-version:to:subject: content-transfer-encoding; bh=lnqzOyugBdqhfz0ov0ng3ZwSIhvDAmPbonSAnWjl1rY=; b=gq9TnshNIVKSENfhDhdeVBitvH4bj8gT9I/4bn9FrMFm1enJ8d5VQ2Vt PsBLsd8ImNCtNyD9DMNi/AII58w5HUsN2CNMGmjGChDi7S6erfjRMTbyb bI1K4zIJKNq+j+X4laf2MoBh6E7S70LxdJipX765wMYZOGCm0F89TOj8z E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.75,467,1330905600"; d="scan'208";a="73987564"
Received: from rcdn-core-2.cisco.com ([]) by rcdn-iport-9.cisco.com with ESMTP; 23 Apr 2012 13:51:06 +0000
Received: from macmini.wierenga.net (rtp-kwiereng-8713.cisco.com []) by rcdn-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id q3NDp4MT001725; Mon, 23 Apr 2012 13:51:05 GMT
Message-ID: <4F955E48.7060908@cisco.com>
Date: Mon, 23 Apr 2012 15:51:04 +0200
From: Klaas Wierenga <klaas@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: secdir@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-httpbis-p4-conditional.all@tools.ietf.org
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [secdir] secdir review of draft-ietf-httpbis-p4-conditional-19
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2012 13:51:08 -0000

Hash: SHA1


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

First of, I think the draft is well written and a good read,
compliments to the authors, especially the examples were helpful!

To start with the Security Considerations (section 6), there aren't
any..... or rather, section 6 refers to the security considerations of
part 1 and states that the security considerations are the same as for
HTTP in general. IMO that is a bit too easy, for example throughout
the text there is discussion about clock synchronization, evaluation
of weak conditionals, hashes etc. All of those can lead to the client
having a "wrong" view of the resource. I would expect some discussion
as to what that could mean and what measures could be taken to avoid that.

Also, in part 1, security considerations 8.5 there is some discussion
about MitM attacks and evil proxies, and the general statement is made
that proxies should not be trusted anymore than the person who
operates it. Whereas it is true that everyone in the path can change
the transmitted information at will, I could imagine that with ETags
one could actually implement some rsort of integrity protection by
using ETags that are signed hashes of the content that is
transfered.... thinking out loud... anyway, my bottom line is that I
am not sure that the security properties of the system as a whole
don't change by introducing conditionals.

Then other things that came to mind while reading the draft (many just

- - section 1, p3,  Introduction, first sentence

I can not parse that sentence, should it perhaps be "....on that
metadata be checked...." -> "....on that metadata; to be checked...."?

- - 1.1, p3, conformance and error handling, 3d paragraph

I don't get the statement about "SHOULD-level" requirements. Isn't
that always the case with SHOULD? I.e. what is different from RFC2119?

- - 1.2, p4, Syntax

I think it would be helpful to state what OWS, obs-text and HTTP-date
(informal) stand for, the production rule given here does not provide
much clarity

- - 2.1, p5, weak vs strong, 4th paragraph

"A cryptographic hash function", which one? I think you need to state
at least that you should choose one that is collusion resistant (and
this should probably go into the security considerations)

- - 2.2, p6 last-modiefied

This paragraph came a bit out of the blue it is not mentioned that
Last-Modified is one of the validators that you just talked about in
the previous paragraph

- - 2.2.1, p7, generation, one but last paragraph

Seems that a bad system clock can nevertheless screw things up, if the
system clock is set to earlier than the previous "fresh page" the
content will never be updated.

- - 2.2.2 p7, comparision

Is it really neccessary to have the elaborate determination whether
the vlaidator is weak or strong, with arbitrary time intervals etc.?
It seems very error prone and confusing for implementers. Why not just
say that Last-Modified is weak, and if you want strong use ETags.

- - 2.3 ETag, p9, Note

"ought to" is not very normative. Why not make it MUST or SHOULD?

- - 2.3 ETag, p9, 2nd paragraph

The "more reliable" and "convenient" don't seem to be related, even
though that is suggested in the paragraph. I would argue that an
entity-tag can be implemented to be more reliable period (because of
the clock problems discussed before)

- - 2.3.1 p 9, generation

same discussion as in 2.1 about collission resistant hashes

- - 2.4, p12, Rules.... HTTP/1.1 clients

So if I understand the "MUST use the entity-tag" correctly the
heuristic that is being used for servers can not be used here. Like in
the server example I could imagine that also the client could decide
not to fetch new weather data based on some internal rule (because it
is mobile and wants to avoid rapid updates for example)

The MAY use the Last-Modified in the case of an HTTP/1.0 origin server
deserves some explanation, not being an HTTP expert it is unclear to
me what makes it deifferent for 1.1

3.1, p 13, If-Match

Most HTTP return codes are expanded, highly appreciated! Could you
please do that for all, i.e. "304" -> "304 (not modified)" etc., that
makjes for a much easier read.

3.3, p16 If-Modified-Since, First Note:

What is the consequence of the Range header field modifying the meaning?

3.4 p17, If-Unmodified-Since

Why not defining the the result of a request having both an
If-Unmodified-Since and a If-None-Match or If-Modified-Since?

4.1 p17, Not modified, second paragraph

A 304 response..... isn't this a fine case of a SHOULD rather than a
MUST? Or perhaps "A 304 response MUST include a Date header field,
unless the origin server.... , in that case a Date header field MUST
NOT be provided", and what actually does "reasonable approximation" mean?

Once again, compliments on a well written spec!

Klaas Wierenga

Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/