Re: [secdir] secdir review of draft-roach-sip-http-subscribe-06
Adam Roach <adam@nostrum.com> Tue, 02 February 2010 17:02 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C6DD3A6979; Tue, 2 Feb 2010 09:02:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, SPF_PASS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19RpSoBjm73E; Tue, 2 Feb 2010 09:02:13 -0800 (PST)
Received: from nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by core3.amsl.com (Postfix) with ESMTP id A99F43A6958; Tue, 2 Feb 2010 09:02:12 -0800 (PST)
Received: from hydra-3.local (ppp-70-249-147-216.dsl.rcsntx.swbell.net [70.249.147.216]) (authenticated bits=0) by nostrum.com (8.14.3/8.14.3) with ESMTP id o12H2eVb033674 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Feb 2010 11:02:40 -0600 (CST) (envelope-from adam@nostrum.com)
Message-ID: <4B685AB0.9060107@nostrum.com>
Date: Tue, 02 Feb 2010 11:02:40 -0600
From: Adam Roach <adam@nostrum.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: Tina TSOU <tena@huawei.com>, Alexey Melnikov <alexey.melnikov@isode.com>, iesg@ietf.org
References: <90041D6C-0B96-482D-9CCC-C552481A187F@huawei.com>
In-Reply-To: <90041D6C-0B96-482D-9CCC-C552481A187F@huawei.com>
Content-Type: multipart/alternative; boundary="------------020405080302080203000001"
Received-SPF: pass (nostrum.com: 70.249.147.216 is authenticated by a trusted mechanism)
X-Mailman-Approved-At: Wed, 03 Feb 2010 08:24:19 -0800
Cc: secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-roach-sip-http-subscribe-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2010 17:02:14 -0000
On 7/22/64 13:59, Jul 22, Tina TSOU wrote:
> 1) It is possible that the message/http NOTIFY message bodies may
> contain sensitive information. This is related to the statement at the
> end of the existing Security Considerations text that care should be
> taken to apply the same controls over access to entity information to
> SIP/SIPS subscribers as to users using other protocols. Additional
> text in the Security Considerations section should point out that if
> the NOTIFY requests may return sensitive information, that information
> should be protected in transit by, for example, requiring that the
> subscription use SIPS rather than SIP.
>
> 2) Along with this, some reference to RFC 5630 might be valuable, both
> to indicate the limitations of SIPS and to indicate how it should be
> implemented.
Thanks for catching this. I propose adding the following text to the
Security section as a final paragraph:
Similarly, if the HTTP resource is encrypted or integrity protected
in transit -- for example, by using HTTP over TLS [12] -- then the
SIP means of subscribing to the HTTP resource MUST also have
appropriate encryption or integrity protection applied. Examples of
mechanisms for providing such protection include the use of the SIPS
URI scheme [17], and the use of S/MIME bodies [13].
With the cited references:
[12] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[13] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
(S/MIME) Version 3.1 Message Specification", RFC 3851,
July 2004.
[17] Audet, F., "The Use of the SIPS URI Scheme in the Session
Initiation Protocol (SIP)", RFC 5630, October 2009.
/a