Re: [secdir] Secdir review of draft-op3ft-leaptofrogans-uri-scheme-03
Benjamin PHISTER <benjamin.phister@op3ft.org> Sun, 20 January 2019 11:13 UTC
Return-Path: <benjamin.phister@op3ft.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 925EA131069 for <secdir@ietfa.amsl.com>; Sun, 20 Jan 2019 03:13:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=op3ft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kVAiQmZe69IY for <secdir@ietfa.amsl.com>; Sun, 20 Jan 2019 03:13:00 -0800 (PST)
Received: from beige.cedar.relay.mailchannels.net (beige.cedar.relay.mailchannels.net [23.83.210.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54AA0130EF1 for <secdir@ietf.org>; Sun, 20 Jan 2019 03:12:59 -0800 (PST)
X-Sender-Id: 5ei546bipu|env-sender|benjamin.phister@op3ft.org
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 2BDF0682467 for <secdir@ietf.org>; Sun, 20 Jan 2019 11:12:59 +0000 (UTC)
Received: from mail0.stg-interactive.net (unknown [100.96.26.166]) (Authenticated sender: 5ei546bipu) by relay.mailchannels.net (Postfix) with ESMTPA id 6EEC168259E for <secdir@ietf.org>; Sun, 20 Jan 2019 11:12:58 +0000 (UTC)
X-Sender-Id: 5ei546bipu|env-sender|benjamin.phister@op3ft.org
Received: from mail0.stg-interactive.net (mx1.fr.stgi.io [164.132.65.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.16.2); Sun, 20 Jan 2019 11:12:59 +0000
X-MC-Relay: Junk
X-MailChannels-SenderId: 5ei546bipu|env-sender|benjamin.phister@op3ft.org
X-MailChannels-Auth-Id: 5ei546bipu
X-Interest-Trouble: 3ddf27d760b6469c_1547982779054_4011264590
X-MC-Loop-Signature: 1547982779054:4145817758
X-MC-Ingress-Time: 1547982779053
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=op3ft.org; s=mail; t=1547982774; bh=xZdT3DIw+nmwu+CGMrs+AwzOj59E37zUzknfJF2SeJI=; h=Subject:References:From:To:Cc:Date:In-Reply-To; b=Vjt1WVgFg4o32PMAtwyZsbWptSDsakh137P1WOdG/pySmSLPaHWyic6XmWIgPPNyp LwWkrnykgfyzzV4OYf10kpEQZeF2sAQIFSAOHfflmvomGs23EfjqaoMHd89xbH0YZq Ddn6qImmi+ELKk/7dkYuY3DmceqMkEeQLzd3vw3I=
References: <CADajj4Y82CwZSNC0pEYimpx4MGfDTfMD_LCzX5-Vnr1foe3vJA@mail.gmail.com> <CADajj4YdKOsi+huevbbugSzvKRv8bm_iX=abK-jb+5ykb1nzgw@mail.gmail.com>
From: Benjamin PHISTER <benjamin.phister@op3ft.org>
To: Magnus Nyström <magnusn@gmail.com>, secdir@ietf.org
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, draft-op3ft-leaptofrogans-uri-scheme@ietf.org
Message-ID: <70a588e6-c939-526b-2a84-9a40444ca3a7@op3ft.org>
Date: Sun, 20 Jan 2019 12:12:53 +0100
User-Agent: Evolution 2.22.1
MIME-Version: 1.0
In-Reply-To: <CADajj4YdKOsi+huevbbugSzvKRv8bm_iX=abK-jb+5ykb1nzgw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------F1627D018D83E217785B22E4"
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Sun Jan 20 12:12:56 2019
X-DSPAM-Confidence: 1.0000
X-DSPAM-Probability: 0.0023
X-DSPAM-Signature: 6800,5c4457b841301815517186
X-DSPAM-Factors: 27, not+#+#+URLs, 0.40000, not+#+#+URLs, 0.40000, instead+#+#+a, 0.40000, instead+#+#+a, 0.40000, D+only, 0.40000, D+only, 0.40000, top+#+#+Content, 0.40000, top+#+#+Content, 0.40000, I+#+#+#+document, 0.40000, I+#+#+#+document, 0.40000, security+#+#+that, 0.40000, security+#+#+that, 0.40000, comments+#+document, 0.40000, comments+#+document, 0.40000, your+#+#+in, 0.40000, your+#+#+in, 0.40000, and+#+#+their, 0.40000, and+#+#+their, 0.40000, section+#+#+discussion, 0.40000, section+#+#+discussion, 0.40000, reply+#+#+responded, 0.40000, reply+#+#+responded, 0.40000, name+seems, 0.40000, name+seems, 0.40000, Concerning+#+#+used, 0.40000, Concerning+#+#+used, 0.40000, frogans+#+#+do, 0.40000
X-Virus-Scanned: ClamAV using ClamSMTP
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/XDKRm840ciXYElMrmQ4af4MKnS8>
Subject: Re: [secdir] Secdir review of draft-op3ft-leaptofrogans-uri-scheme-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jan 2019 11:13:04 -0000
Dear Magnus, Thank you for your review, and please excuse my late reply. I have responded to your questions directly in your message below. Best regards, Ben -- Benjamin Phister Head of Technical Specifications benjamin.phister@op3ft.org OP3FT 6 square Mozart 75016 Paris - France Tel: +33 1 5392 0040 https://www.op3ft.org/ frogans*op3ft ------------------------------------------------------------------------ *From:* Magnus Nyström <magnusn@gmail.com> *Subject:* Secdir review of draft-op3ft-leaptofrogans-uri-scheme-03 *Date:* Friday, Nov 16, 2018 9:47 AM CET *To:* secdir@ietf.org, draft-op3ft-leaptofrogans-uri-scheme@ietf.org > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > This document specifies the "leaptofrogans" URI scheme. Its security > considerations section provides a discussion of common URI risks and > how they apply to the frogans URIs. I do wonder a bit about the > statement that "[the] risk of confusion i[due to the true address > being hidden in the link text visible to the user] is mitigated > because Frogans Player must always display the real Frogans address > contained in the URI" - does this necessarily also apply to "inbound" > direction cases - i.e., when a regular browser displays a link which > allows the user to launch a frogans site? The way that end-user applications (such as a Web browser or an E-mail client) choose to display links is outside the scope of this I-D. The I-D only says what Frogans Player must do when dealing with a 'leaptofrogans' URI. It does not say what other end-user applications must display when dealing with a 'leaptofrogans' URI. Furthermore, the way end-user applications display links varies considerably. The real Frogans address contained in the URI may not be displayed at all. For instance, on a Web page, a link can be presented using an image instead of using a hypertext link. In any case, as discussed in the I-D, the risk of confusion is mitigated by Frogans Player that always displays the real Frogans address contained in the URI. > > (Unrelated, the "leaptofrogans" name seems long. The scheme part of > URIs is typically the name of a protocol or similar. In the frogans > case, "fsdl" comes to mind as iI understand it to be the language used > to create frogans sites (I do not know what protocol is used to > commuicate with such sites).) The choice of the scheme name is discussed in Section 3 ("The Choice of the Scheme Name") of the I-D. Choosing 'fsdl' as the scheme name would not work because FSDL, the Frogans Slide Description Language, relates to the format of the documents representing the slides of a Frogans site and does not relate to its Frogans address (just like HTML relates to the format of documents representing the pages of a Web site and not to their URLs). Concerning the protocols used by Frogans Player for requesting and receiving data from the server hosting the Frogans site: As of version 3.0 of the FSDL technical specification (https://www.frogans.org/en/resources/fsdl/access.html -- see Section 1.2 "Purpose"), FSDL works on top of Uniform Content Server Request (UCSR), a new framework designed and developed by the OP3FT to make the Frogans technology independent from data-transport protocols. The UCSR framework provides a client application with an abstraction layer for uniformly requesting and receiving data from a content server, while ensuring a predetermined security level. Note that UCSR does not propose new networking protocols. It utilizes existing protocols widely used on the Internet such as IP, DNS, TCP, TLS, and HTTP. For more information on UCSR (and also to get an overall understanding of the Frogans technology), see Frogans Technology Overview on the official Web site of the Frogans technology (https://www.frogans.org/en/resources/overview/access.html). Choosing 'ucsr' as a scheme name would not work either because UCSR can be used in contexts outside Frogans technology. > Thanks, > -- Magnus
- [secdir] Secdir review (early review) of draft-ie… Magnus Nyström
- Re: [secdir] Secdir review (early review) of draf… Ganga, Ilango S
- Re: [secdir] Secdir review (early review) of draf… Magnus Nyström
- Re: [secdir] Secdir review (early review) of draf… Ganga, Ilango S
- Re: [secdir] Secdir review (early review) of draf… Magnus Nyström
- Re: [secdir] Secdir review (early review) of draf… Ganga, Ilango S
- [secdir] Secdir review of draft-op3ft-leaptofroga… Magnus Nyström
- Re: [secdir] Secdir review of draft-op3ft-leaptof… Benjamin PHISTER
- Re: [secdir] Secdir review (early review) of draf… Ganga, Ilango S