Re: [secdir] secdir review of draft-ietf-appsawg-xdash-03
Peter Saint-Andre <stpeter@stpeter.im> Mon, 12 March 2012 16:58 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5527E21F8738; Mon, 12 Mar 2012 09:58:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.721
X-Spam-Level:
X-Spam-Status: No, score=-102.721 tagged_above=-999 required=5 tests=[AWL=-0.122, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6p7bAaA2LQiW; Mon, 12 Mar 2012 09:57:59 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 5A1C021F8618; Mon, 12 Mar 2012 09:57:59 -0700 (PDT)
Received: from dhcp-64-101-72-193.cisco.com (unknown [64.101.72.193]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id C7B7B40058; Mon, 12 Mar 2012 11:10:14 -0600 (MDT)
Message-ID: <4F5E2B15.6000409@stpeter.im>
Date: Mon, 12 Mar 2012 10:57:57 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: "Scott G. Kelly" <scott@hyperthought.com>
References: <1331296960.23996089@apps.rackspace.com> <4F5E267F.8070602@stpeter.im> <4F5E285E.9040908@stpeter.im>
In-Reply-To: <4F5E285E.9040908@stpeter.im>
X-Enigmail-Version: 1.3.5
OpenPGP: url=https://stpeter.im/stpeter.asc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-appsawg-xdash.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-appsawg-xdash-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2012 16:58:00 -0000
On 3/12/12 10:46 AM, Peter Saint-Andre wrote: > On 3/12/12 10:38 AM, Peter Saint-Andre wrote: >> On 3/9/12 5:42 AM, Scott G. Kelly wrote: >>> I have reviewed this document as part of the security directorate's >>> ongoing effort to review all IETF documents being processed by the >>> IESG. These comments were written primarily for the benefit of the >>> security area directors. Document editors and WG chairs should treat >>> these comments just like any other last call comments. >>> >>> This document deprecates the use of the "X-" prefix in application >>> protocols (e.g. HTTP). The security considerations section says that >>> issues with security-critical parameters can result in unnecessary >>> vulnerabilities, and points the reader to an appendix for further >>> discussion. The appendix says >>> >>> "Furthermore, often standardization of a non-standard parameter or >>> protocol element leads to subtly different behavior (e.g., the >>> standard version might have different security properties as a >>> result of security review provided during the standardization >>> process). If implementers treat the old, non-standard parameter and >>> the new, standard parameter as equivalent, interoperability and >>> security problems can ensue." >>> >>> I agree with the part about interoperability issues, but I think the >>> security discussion is a bit more nuanced. In general, >>> unauthenticated header fields are not reliable, and for this reason, >>> it should not matter whether there is an X- prefix or not: you should >>> not be basing security decisions on this. >>> >>> I can see where some parameters might *relate* to security somehow, >>> but it seems that the associated data would be self-contained in >>> terms of its security properties, in the same way that, e.g., an >>> encapsulated CMS payload is self-contained. >>> >>> In such cases, it is true that there would be interop issues if the >>> receiver mis-interpreted the payload, but in no event should the >>> receiver be trusting something just because it has (or does not have) >>> the X- prefix. >>> >>> I think this is very subtle, and after trying to compose a simple >>> email I can see that it gets complex very quickly, so I don't want to >>> rush into a rathole here. Still, I wonder if the security >>> considerations should make the point that presence or lack of an X- >>> prefix must not be relied upon for security decisions. >> >> Hi Scott, >> >> I see your point, but it's not clear to me that this document is the >> place to make a general statement about secure handling of application >> parameters. Further, not all parameters are header fields, so this is >> not a matter of headers vs. payloads. However, I do think there's an >> issue here, so I will think about it more today and perhaps reply again. > > OK, I thought about it quickly. :) > > I think your point relates to our recommendation against making > programmatic distinctions between "standard" and "non-standard" (and > therefore perhaps "secure" and "insecure") parameters based solely on > the names. In version -04 (to be posted before the deadline tonight, I > hope), the content of Section 2 ("Recommendations for Implementers of > Application Protocols") will read as follows: > > Implementations of application protocols MUST NOT programatically > discriminate between "standard" and "non-standard" parameters based > solely on the names of such parameters (i.e., based solely on > whether the name begins with 'x-' or a similar string of characters). > > Now, the leap from "standard" to "secure" and "non-standard" to > "insecure" is unwarranted, I think -- sometimes it might be true, but > not in the general case -- so we might want to recommend against making > such an assumption based solely on the names of parameters. But that is > a slightly different point than the one you're making, it seems. I would suggest, therefore, adding the following paragraph to the Security Considerations: As a corollary to the recommendation provided under Section 2, implementations MUST NOT assume that "standard" parameters are "secure" whereas "non-standard" parameters are "insecure", based solely on the names of such parameters. Strictly speaking that shouldn't be necessary because the security of a parameter is just one instance of the parameter's (assumed) properties, but it might be a helpful clarification. Peter -- Peter Saint-Andre https://stpeter.im/
- [secdir] secdir review of draft-ietf-appsawg-xdas… Scott G. Kelly
- Re: [secdir] secdir review of draft-ietf-appsawg-… Peter Saint-Andre
- Re: [secdir] secdir review of draft-ietf-appsawg-… Peter Saint-Andre
- Re: [secdir] secdir review of draft-ietf-appsawg-… Peter Saint-Andre