Re: [secdir] Review of draft-reschke-rfc2231-in-http-10.txt
Graham Klyne <GK@ninebynine.org> Mon, 01 March 2010 20:54 UTC
Return-Path: <GK@ninebynine.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3EA3F28C5A6; Mon, 1 Mar 2010 12:54:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5Bj2TBrZRKg; Mon, 1 Mar 2010 12:54:40 -0800 (PST)
Received: from relay5.mail.ox.ac.uk (relay5.mail.ox.ac.uk [163.1.2.163]) by core3.amsl.com (Postfix) with ESMTP id 22C8728C5A2; Mon, 1 Mar 2010 12:54:40 -0800 (PST)
Received: from smtp0.mail.ox.ac.uk ([129.67.1.205]) by relay5.mail.ox.ac.uk with esmtp (Exim 4.71) (envelope-from <GK@ninebynine.org>) id 1NmCdR-0008Oq-HC; Mon, 01 Mar 2010 20:54:37 +0000
Received: from gklyne.plus.com ([80.229.154.156] helo=Eskarina.local) by smtp0.mail.ox.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <GK@ninebynine.org>) id 1NmCdQ-0001pM-2z; Mon, 01 Mar 2010 20:54:37 +0000
Message-ID: <4B8C16DC.5030703@ninebynine.org>
Date: Mon, 01 Mar 2010 19:34:52 +0000
From: Graham Klyne <GK@ninebynine.org>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Tero Kivinen <kivinen@iki.fi>
References: <19335.45416.521059.570426@fireball.kivinen.iki.fi> <4B87D118.1090408@greenbytes.de> <19339.47272.515270.37133@fireball.kivinen.iki.fi>
In-Reply-To: <19339.47272.515270.37133@fireball.kivinen.iki.fi>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Oxford-Username: zool0635
X-Mailman-Approved-At: Mon, 01 Mar 2010 13:05:36 -0800
Cc: httpbis-chairs@tools.ietf.org, secdir@ietf.org, iesg@ietf.org, Julian Reschke <julian.reschke@greenbytes.de>
Subject: Re: [secdir] Review of draft-reschke-rfc2231-in-http-10.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 20:54:41 -0000
For information: Larry Masinter recently suggested replacing some similar text in the IRI specification with a reference to a Unicode report: http://lists.w3.org/Archives/Public/www-tag/2010Feb/0175.html #g -- Tero Kivinen wrote: > Julian Reschke writes: >> -- snip -- >> 5. Security Considerations >> >> The format described in this document makes it possible to transport >> non-ASCII characters, and thus enables character "spoofing" >> scenarios, in which a displayed value appears to be something other >> than it is. >> >> Furthermore, there are known attack scenarios relating to decoding >> UTF-8. >> >> See Section 10 of [RFC3629] for more information on both topics. >> -- snip -- > > I think that text adequately covers non-ASCII characters issues. > >>> I agree on this comment, and the security consideration section should >>> include text about the ability to character spoofing. Also as the >>> parameters can include different texts for different languages that >>> also offers another form of spoofing, for example the example the >>> title parameter used in the headers could include different titles for >>> different languages which could affect the way the user interprets it. >>> >>> As this document does not define any specific parameters, the actual >>> documents defining parameters using this format specified here should >>> include text about whether those spoofing attacks are possible and/or >>> meaningful. Having some generic text in this document explaining the >>> possible attacks, would make sure those documents include the text >>> needed. >> I'm a bit reluctant to add more than I already have. After all, this >> applies to *any* IETF spec that has proper I18N, so, in theory, >> *everything* the IETF does that allows natural language text. > > Yes, but the impact of them is different. For example it does not > really matter if the filename parameters having different languages > differ, but there might be parameters where this really matters. > > As this document does not define any exact parameters, it might be > enough to comment something like that "This document specifies way to > transport multiple language variants for parameters, and such use > might allow spoofing attacks, where different language versions of the > same parameters do not match. Whether this attack is useful as an > attack depends on the parameter specified." > > This way the one writing documents specifying parameters allowing > multiple languages and specifying some kind processing on them will > think whether this attack affects them or not. > >> It would be really great if we had a document that summarized common >> security considerations, so that "higher-level" specs could just point >> to individual parts of these. > > Such document would probably be so long that it would not be that > useful. I think listing exact security considerations specific for > this document in the security considerations section is better, > altough for background information pointing to another document (like > RFC 3629) is enough. > >> For the spoofing issue I'm now pointing to RFC 3629 -- do you feel we >> need more? > > I am not really sure for what kind of parameters the different > language versions are used, so I cannot really comment whether there > can be security issues because of them. > > If you are sure there cannot be any security issues because of them, > then you should say so. If you do do not know, then it is better to > mention here to make those who use them to think about the security > issues they might raise.
- [secdir] Review of draft-reschke-rfc2231-in-http-… Tero Kivinen
- Re: [secdir] Review of draft-reschke-rfc2231-in-h… Julian Reschke
- Re: [secdir] Review of draft-reschke-rfc2231-in-h… Tero Kivinen
- Re: [secdir] Review of draft-reschke-rfc2231-in-h… Julian Reschke
- Re: [secdir] Review of draft-reschke-rfc2231-in-h… Graham Klyne
- Re: [secdir] Review of draft-reschke-rfc2231-in-h… Tero Kivinen