[secdir] SECDIR Review of Draft-ietf-salud-alert-info-urns-12

Matthew Lepinski <mlepinski.ietf@gmail.com> Sun, 11 May 2014 21:56 UTC

Return-Path: <mlepinski.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D5A31A0376; Sun, 11 May 2014 14:56:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajaau6KdD3Jt; Sun, 11 May 2014 14:56:17 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) by ietfa.amsl.com (Postfix) with ESMTP id C58CB1A0375; Sun, 11 May 2014 14:56:16 -0700 (PDT)
Received: by mail-wi0-f172.google.com with SMTP id hi2so3571662wib.17 for <multiple recipients>; Sun, 11 May 2014 14:56:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=OHrmio9z+vis4e9EFVf1X/JyEgltml1vq55mpMHogFs=; b=XneW+tje68pMQJxAwoJ14J322QX6S44W6KFuSfQFo9+KAKSuWLbwuR8KE7HH/IUKqq P6HHCsQvObPcc0YhW1dSAalxaM18E7eXi2fV0KpUtilOMXXPDCNbNh+FGPNC6BlEb6un 0lKjJg3CUL9O+4v0eaDSjwM9wNQGsAW56D4KDU/6L2n19jf5l3eotP900U/b3Mj8a6UD Nqw6bxAl8c86E+ynaKH2My7yJJlrl0/MeJEn1Kk7Ct2sfd7GSOyDp0eZ4ZBVshma8h03 fuun//4AOj0Ctfb3ReN+AR/AgE0ccfiM+wH8PDIVUB2eFsgtgeeKRuZdLYBAXJjllnbo OgqQ==
MIME-Version: 1.0
X-Received: by 10.180.75.110 with SMTP id b14mr12822500wiw.43.1399845370549; Sun, 11 May 2014 14:56:10 -0700 (PDT)
Received: by 10.216.100.197 with HTTP; Sun, 11 May 2014 14:56:10 -0700 (PDT)
Date: Sun, 11 May 2014 17:56:10 -0400
Message-ID: <CANTg3aArOMXaXdj3xeTB__C4AH6nWr3-dy7UKZyGmTZ0Ea9+Tg@mail.gmail.com>
From: Matthew Lepinski <mlepinski.ietf@gmail.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-radext-dtls.all@tools.ietf.org, draft-ietf-salud-alert-info-urns.all@ietf.org
Content-Type: multipart/alternative; boundary=f46d043be2280d5bc404f926e6ef
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/Y6R3DQpZAMgwxp82_NDO2-Dugu0
Subject: [secdir] SECDIR Review of Draft-ietf-salud-alert-info-urns-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 May 2014 21:56:20 -0000

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.

The base Sip specification (RFC 3261) includes an Alert-Info header field
that may reference an audio file to be rendered to the user as a ring tone
or ringback tone. Draft-ietf-salud-alert-info-urns updates RFC 3261 to
allow the Alert-info feel to include a URN that indicates the type of ring
tone or ringback tone that is appropriate for the current call, and then
the user agent can use this URN to select an appropriate alert to render to
the user (e.g., based on the capabilities of user's device and the user's
preferences).

>From a security point of view, the mechanism specified in this document is
very desirable, since it eliminates the potential security concerns
associated with a request to fetch and render an arbitrary audio file
provided by a (potentially untrusted) remote system.

This document is generally ready for publication. I agree with the authors
that specified usage of the new alert URN namespace does not raise
significant new security concerns. However, I have one minor concern about
the security considerations text, which I discuss below.

The authors correctly note that the use particular alert indicators (that
might reasonably be provisioned within this namespace) may introduce
privacy concerns. For example, the alert-info value might reasonably
include information about the calling party, the calling party's location
(e.g., local vs international) or the calling party's device. (Note that in
many cases there will be as much or more information about the calling
party in other SIP headers, but it is definitely worth noting that this is
a header field where privacy-relevant information may reside.)

Therefore, the security considerations text goes on to say "Such provision
SHALL always be explicitly authorized by the party (caller or callee) the
information in the 'alert' URN refers to."

I find the above text somewhat confusing, and I would appreciate it the
authors could add a bit of text to clarify what they mean. Does this
sentence mean that if I am implementing a User-Agent that I MUST NOT
include any URN in the alert-info field without an explicit authorization
from the user? Or perhaps it means that certain categories of alert URNs
(the privacy-relevant ones) MUST NOT be included in the alert-info field
without an explicit authorization from the user? (If this is the case, then
obviously a bit of guidance is needed with regards to which types of alert
URNs require explicit user authorization).

Furthermore, I believe that the above sentence means that if I am
implementing a proxy that I MUST NOT add any alert URN to an outgoing (or
incoming) call without explicit authorization from the user. (Or again,
perhaps it only means certain privacy-relevant alert URNs). I think this
paragraph would be more clear if there were separate normative statement
for the behavior of proxies and user agents.

That is, for these type of privacy considerations, I think it is very
helpful to be very clear/explicit about what information various entities
are allowed to put into this header field (without authorization from the
user).

As I final note, it might be reasonable to add a sentence that
reminds implementers that due to the potential privacy implications of the
alert-info header field that when this header is included (or perhaps when
certain categories of alert URNs are placed in this header field), the SIP
message SHOULD be protected via TLS. However, I understand that: (1) There
are a number of practical impediments to the use of TLS to protect SIP
traffic; and (2) Given the privacy-relevant information that is likely
contained in other SIP headers, the recommendation to use TLS is in now
ways specific to the presence of the alert-info field. Therefore, although
I think a reminder to use TLS when possible might be appropriate, I can
understand why the authors might reasonably chose to leave out such text.