Re: [secdir] Review of draft-ietf-xcon-common-data-model-27.txt

[Tero Kivinen <kivinen@iki.fi>]

Oscar Novo writes:
> 1) The confidentiality is not mandatory even in the cases where the
>    database contains sensitive elements (passwords), it is only
>    SHOULD.
> 
> [ON] In the new version of the draft (28) I have changes the text a bit:
> 
>    "The confidentiality of the database SHOULD be protected from
>    unauthorized users, given that the data model contains a set of
>    sensitive elements (e.g., passwords), and it is RECOMMENDED the
>    database uses encryption mechanisms if the information is stored in
>    long term storage (e.g., disk)." 

I would think that SHOULD (or MAY) is ok if there is no sensitive
elements in the database, but if the database actually do contain
sensitive elements like password do you really think confidentiality
is not needed?

If so in which scenarios it would be ok to not use confidentiality
and not protect the sensitive data from unauthorized users?

Saying that data SHOULD be encrypted when stored to the disk is
actually ok, as I do think SHOULD is acceptable there, as I can see
several valid scenarios where the long term storage access can be
secure enough that encryption is not needed.

I do not see any real scnearios where unauthorized users needs to
given access to the sensitive elements.

> 2) The privacy issues is not covered enough. The current version added
>    specific pointer to the section 11.2 of RFC5239, but that only
>    covers one very small privacy issue, i.e. anonymous access. It does
>    not cover gathering sensitive privacy information in the database,
>    i.e. who participated which conferences and with whom.
> 
> [ON] We don't think this document should solve questions as "who
> participated which conferences and with whom?". And in the working
> group was agree to leave the policy outside this document for future
> documents.

I do not think there is really problem to solve, but I think by nature
this database will have such information, and that information might
be stored to long term storage. I.e. if someone makes conferences
about the "human rights problems in country X", and invites people to
participate such conference, then that information is stored to the
database.

By keeping that information in database this database now contains
sensitive privacy information, which is not pointed out in this draft.

I think security considerations section should point out that some
information stored in the data model might be sensitive in addition to
obious things like passwords and identity of the anonymoys users. This
may include the information about identities of the people
participating specific conferences or who is communicating with who
(i.e. telecommuniations data retentation:
http://en.wikipedia.org/wiki/Telecommunications_data_retention).

The current data model for example is quite vague about how long the
information is stored. I.e. how long will the list of participants
given in the system. When will it be deleted etc. If this only assumes
that all information only covers the currently on-going events then
that is good, but in most cases I think some information might be
stored before the event even starts etc.

I do not think there is need to modify the actual data model, more
likely point out that there might be issues there which some people
might not even see immediately (as can be seen how hard it has been
for me to try to express what my concern is). 
-- 
kivinen@iki.fi