[secdir] Secdir last call review of draft-ietf-calext-ical-relations-08
Catherine Meadows via Datatracker <noreply@ietf.org> Tue, 26 October 2021 18:49 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 59F483A16CB; Tue, 26 Oct 2021 11:49:30 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Catherine Meadows via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: calsify@ietf.org, draft-ietf-calext-ical-relations.all@ietf.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.39.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <163527417024.2618.2790897732112692791@ietfa.amsl.com>
Reply-To: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Date: Tue, 26 Oct 2021 11:49:30 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/NNV1ZqzAuVV2HdGMfrSngwxQ2p4>
Subject: [secdir] Secdir last call review of draft-ietf-calext-ical-relations-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 18:49:31 -0000
Reviewer: Catherine Meadows Review result: Has Issues This draft describes increases the expressive and scope of relationships that can be defined in iCalendar. It updates the already existing RELATED-TO by allowing UID and URI as values and introduces a GAP parameter to specify the length of time between two events. It also introduces three new properties: CONCEPT (roughly, category), LINK (typed reference to external meta-data or related resources), and REFID(used to identify a key that identifies all components that use that REFID). The syntax of the relationships is given and intended use cases are described. The introduction of greater expressiveness does not by itself introduce security considerations, but the introduction of references to external sources does, specifically for URIs, which are allowed as arguments of the RELATED-TO, CONCEPT, and LINK properties. The authors of this document are aware of this, and refer the reader to [RFC3986] for more information. I agree that the security considerations related to use of URIs proposed in this draft are covered by this RFC. I wonder though, if the document shouldn’t concern a similar warning about the data type REFERENCE. This refers to an XML document or a portion of an XML document. Since XML can also be used as an attack vector, a mention in the Security Considerations Section would seem appropriate.
- [secdir] Secdir last call review of draft-ietf-ca… Catherine Meadows via Datatracker
- Re: [secdir] [Last-Call] Secdir last call review … Michael Douglass
- Re: [secdir] [Last-Call] Secdir last call review … Benjamin Kaduk
- Re: [secdir] [Last-Call] Secdir last call review … Michael Douglass
- Re: [secdir] [Last-Call] Secdir last call review … Benjamin Kaduk