[secdir] SECDIR review of draft-ietf-jcardcal-jcard-05

Stephen Kent <kent@bbn.com> Wed, 17 July 2013 20:16 UTC

Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1E30911E80DC for <secdir@ietfa.amsl.com>; Wed, 17 Jul 2013 13:16:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.598
X-Spam-Status: No, score=-106.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id mHreCIjgXxWj for <secdir@ietfa.amsl.com>; Wed, 17 Jul 2013 13:16:22 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com []) by ietfa.amsl.com (Postfix) with ESMTP id E1FDD11E80AE for <secdir@ietf.org>; Wed, 17 Jul 2013 13:16:21 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([]:57627) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1UzY8i-00004r-8O; Wed, 17 Jul 2013 16:15:56 -0400
Message-ID: <51E6FB7C.2060106@bbn.com>
Date: Wed, 17 Jul 2013 16:15:56 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, mozilla@kewis.ch
Content-Type: multipart/alternative; boundary="------------020705000104040705020103"
Cc: bert.greevenbosch@huawei.com, Barry Leiba <barryleiba@computer.org>, Pete Resnick <presnick@qti.qualcomm.com>, stpeter@stpeter.im
Subject: [secdir] SECDIR review of draft-ietf-jcardcal-jcard-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 20:16:28 -0000

SECDIR review of draft-ietf-jcardcal-jcard-05

I reviewed this document as part of the security directorate's ongoing 
effort to review all IETF documents being processed by the IESG.These 
comments were written primarily for the benefit of the security area 
directors.Document editors and WG chairs should treat these comments 
just like any other last call comments.

This document describes a JSON format for vCard data, as previously 
defined in RFC 6350.

This document cites the Security Considerations section of original 
vCard RFC (noted above) as the primary content for its Security 
Considerations section. It asserts that no new security concerns arise 
with respect to _calendar data_, because this specification merely maps 
the original vCard data to a new format.However, it then cites the 
Security Considerations section of the JSON specification (RFC 4627) 
noting that there are additional security risks that arise from using 
JSON to represent vCard data! To me these two statements seem somewhat 
contradictory, but that can be addressed by refining the wording here.

More worrisome is the fact that this very brief section mentions only 
calendar data security. Does that mean that no other type of vCard use, 
when using JSON encoding, creates any new security concerns? This 
document is much broader in scope than just iCal data (the subject of 
draft-ietf-jcardcal-jcal-07), so this narrowly focused comment seems out 
of place.

RFC 6350's Security Considerations section notes few concerns that are 
Vcard-specific; most of the comments in that section relate to the need 
to provide security for vCards when they are transported, e.g., via 
email. All of these concerns are equally applicable here, as indicated, 
without the calendar data comment.

RFC 4627's security considerations section turns out to be an indirect 
reference to two paragraphs in the IANA Considerations section! (This 
seems silly and it's not clear why that document was published with such 
an obvious structural error, but ...). The security concern cited in 
4627 is that JavaScript (JS) is a scripting language and thus JSON might 
be used to execute malicious JS. However JSON is intended to be a "safe" 
subset of JS, i.e., it should be able to be evaluated in JS without 
security concerns, if it is properly constrained.The text in 4627 
provides two regular expressions that can be invoked to strip any 
characters that might cause security problems. I'd feel a lot more 
comfortable if this text were explicitly replicated in this I-D, and the 
I-D _mandated_ this processing step before passing the Jcard data to JS. 
(It might even make sense as a post processing step as part of the vCard 
to JCard processing described in Section 3.) The level of indirection 
currently used in the Security Considerations section, and the casual 
advisory nature of the original text might easily be overlooked by an 

Finally, the notion of JSON as "safe" JS subset assumes that the parser 
processing the JSON does not have a security flaw. Such flaws have been 
identified, one as recently as February of this year. It might be good 
to note that this represents a new type of security concern that would 
not arise in a conventional vCard context.