[secdir] SECDIR review of draft-ietf-jcardcal-jcard-05
Stephen Kent <kent@bbn.com> Wed, 17 July 2013 20:16 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E30911E80DC for <secdir@ietfa.amsl.com>; Wed, 17 Jul 2013 13:16:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.598
X-Spam-Level:
X-Spam-Status: No, score=-106.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHreCIjgXxWj for <secdir@ietfa.amsl.com>; Wed, 17 Jul 2013 13:16:22 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id E1FDD11E80AE for <secdir@ietf.org>; Wed, 17 Jul 2013 13:16:21 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:57627) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1UzY8i-00004r-8O; Wed, 17 Jul 2013 16:15:56 -0400
Message-ID: <51E6FB7C.2060106@bbn.com>
Date: Wed, 17 Jul 2013 16:15:56 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, mozilla@kewis.ch
Content-Type: multipart/alternative; boundary="------------020705000104040705020103"
Cc: bert.greevenbosch@huawei.com, Barry Leiba <barryleiba@computer.org>, Pete Resnick <presnick@qti.qualcomm.com>, stpeter@stpeter.im
Subject: [secdir] SECDIR review of draft-ietf-jcardcal-jcard-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 20:16:28 -0000
SECDIR review of draft-ietf-jcardcal-jcard-05 I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.These comments were written primarily for the benefit of the security area directors.Document editors and WG chairs should treat these comments just like any other last call comments. This document describes a JSON format for vCard data, as previously defined in RFC 6350. This document cites the Security Considerations section of original vCard RFC (noted above) as the primary content for its Security Considerations section. It asserts that no new security concerns arise with respect to _calendar data_, because this specification merely maps the original vCard data to a new format.However, it then cites the Security Considerations section of the JSON specification (RFC 4627) noting that there are additional security risks that arise from using JSON to represent vCard data! To me these two statements seem somewhat contradictory, but that can be addressed by refining the wording here. More worrisome is the fact that this very brief section mentions only calendar data security. Does that mean that no other type of vCard use, when using JSON encoding, creates any new security concerns? This document is much broader in scope than just iCal data (the subject of draft-ietf-jcardcal-jcal-07), so this narrowly focused comment seems out of place. RFC 6350's Security Considerations section notes few concerns that are Vcard-specific; most of the comments in that section relate to the need to provide security for vCards when they are transported, e.g., via email. All of these concerns are equally applicable here, as indicated, without the calendar data comment. RFC 4627's security considerations section turns out to be an indirect reference to two paragraphs in the IANA Considerations section! (This seems silly and it's not clear why that document was published with such an obvious structural error, but ...). The security concern cited in 4627 is that JavaScript (JS) is a scripting language and thus JSON might be used to execute malicious JS. However JSON is intended to be a "safe" subset of JS, i.e., it should be able to be evaluated in JS without security concerns, if it is properly constrained.The text in 4627 provides two regular expressions that can be invoked to strip any characters that might cause security problems. I'd feel a lot more comfortable if this text were explicitly replicated in this I-D, and the I-D _mandated_ this processing step before passing the Jcard data to JS. (It might even make sense as a post processing step as part of the vCard to JCard processing described in Section 3.) The level of indirection currently used in the Security Considerations section, and the casual advisory nature of the original text might easily be overlooked by an implementer. Finally, the notion of JSON as "safe" JS subset assumes that the parser processing the JSON does not have a security flaw. Such flaws have been identified, one as recently as February of this year. It might be good to note that this represents a new type of security concern that would not arise in a conventional vCard context.
- [secdir] SECDIR review of draft-ietf-jcardcal-jca… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Pete Resnick
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Philipp Kewisch
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Philipp Kewisch
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-jcardcal… Stephen Kent