Re: [secdir] draft-ietf-geopriv-policy-uri-02
"Scott G. Kelly" <scott@hyperthought.com> Mon, 31 October 2011 17:39 UTC
Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4596921F8B4A for <secdir@ietfa.amsl.com>; Mon, 31 Oct 2011 10:39:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lepYFxgotgex for <secdir@ietfa.amsl.com>; Mon, 31 Oct 2011 10:39:52 -0700 (PDT)
Received: from smtp132.iad.emailsrvr.com (smtp132.iad.emailsrvr.com [207.97.245.132]) by ietfa.amsl.com (Postfix) with ESMTP id 8E32921F8BCD for <secdir@ietf.org>; Mon, 31 Oct 2011 10:39:52 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp43.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 4AB702D0483; Mon, 31 Oct 2011 13:39:51 -0400 (EDT)
X-Virus-Scanned: OK
Received: from dynamic3.wm-web.iad.mlsrvr.com (dynamic3.wm-web.iad1a.rsapps.net [192.168.2.152]) by smtp43.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id F37BB2D047A; Mon, 31 Oct 2011 13:39:50 -0400 (EDT)
Received: from hyperthought.com (localhost [127.0.0.1]) by dynamic3.wm-web.iad.mlsrvr.com (Postfix) with ESMTP id D2B243320078; Mon, 31 Oct 2011 13:39:50 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Mon, 31 Oct 2011 10:39:50 -0700 (PDT)
Date: Mon, 31 Oct 2011 10:39:50 -0700
From: "Scott G. Kelly" <scott@hyperthought.com>
To: Richard Barnes <rbarnes@bbn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
In-Reply-To: <398CF9D4-9B2E-4237-A658-809E73CCD435@bbn.com>
References: <4EAD53ED.60802@hyperthought.com> <EA2977ED-9021-4929-9341-F235C40C84D7@bbn.com> <4EAE91E5.8090908@hyperthought.com> <398CF9D4-9B2E-4237-A658-809E73CCD435@bbn.com>
Message-ID: <1320082790.856226845@apps.rackspace.com>
X-Mailer: webmail7.0
Cc: draft-ietf-geopriv-policy-uri.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] draft-ietf-geopriv-policy-uri-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2011 17:39:53 -0000
Hi Richard, I think your proposed change is fine. --Scott On Monday, October 31, 2011 7:02am, "Richard Barnes" <rbarnes@bbn.com> said: >>> <trimmed...> >>> Why isn't unauthorized manipulation of the policy information also listed as a >>> risk? Actually, the second paragraph of the security considerations addresses >>> this, ("The mechanism also needs to ensure that only authorized entities are >>> able to acquire or alter policy."), but subsequent text seems to indicate that >>> if the policy URI is not kept secret, there are no further protections. >>> Since we're talking about access control policy here, the effect of >>> "manipulation of the policy information" is precisely "unauthorized disclosure >>> of the protected resource". Does that clear thing sup? >> >> I see your point, but manipulation of policy information could also be used to >> prevent/deny disclosure too. As I noted below, I have no experience with these >> protocols, and this may not matter, but as a reviewer, I think I should mention >> it. > > That's a fair point. How about this change to the text: > > OLD: "The risk of unauthorized disclosure of the protected resource" > NEW: "The risk of unauthorized grants or denial of access to the protected > resource" > > >>>> Am I missing something here, or is secrecy of the URI really the only >>>> protection against unauthorized policy manipulation? I have to admit that I >>>> have no experience with these protocols, and it may be that this is addressed >>>> elsewhere (or truly doesn't matter), but it does feel a bit off. >>> >>> You're exactly right in that understanding. The idea is that a policy URI is >>> already controlling access control policy on something, so we didn't want to >>> have access control policies for who can access policy URIs (turtles all the way >>> down). That's the reason for all the text about keeping the policy URI secret. >> >> I didn't see any language suggesting that if one wishes to mitigate the resulting >> exposure, these URIs should probably be short-lived. Is that covered in one of >> the related docs? Again, not sure if this matters, but as the boilerplate >> suggests, the purpose of these secdir reviews is to let the security ADs (who >> presumably have much more context) know if there's anything they should be aware >> of, so I pointed it out. Lacking background and protocol expertise, I don't have >> any strong position of my own on this. > > It's sort of covered in that policy URIs have the same lifetime as the underlying > location URI, but there's not anything like a "key roll-over" mechanism. It seems > to me like the current limitations are sufficient, but if the ADs feel > differently, we can make changes.
- [secdir] draft-ietf-geopriv-policy-uri-02 Scott G. Kelly
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Richard Barnes
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Scott G. Kelly
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Richard Barnes
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Scott G. Kelly