Re: [secdir] draft-ietf-geopriv-policy-uri-02
"Scott G. Kelly" <scott@hyperthought.com> Mon, 31 October 2011 12:17 UTC
Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 870C421F8DB0 for <secdir@ietfa.amsl.com>; Mon, 31 Oct 2011 05:17:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.265
X-Spam-Level:
X-Spam-Status: No, score=-3.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rKijRWahjNvt for <secdir@ietfa.amsl.com>; Mon, 31 Oct 2011 05:17:45 -0700 (PDT)
Received: from smtp122.dfw.emailsrvr.com (smtp122.dfw.emailsrvr.com [67.192.241.122]) by ietfa.amsl.com (Postfix) with ESMTP id 017DB21F8D9E for <secdir@ietf.org>; Mon, 31 Oct 2011 05:17:44 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp12.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id F03F93C12D2; Mon, 31 Oct 2011 08:17:42 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp12.relay.dfw1a.emailsrvr.com (Authenticated sender: scott-AT-hyperthought.com) with ESMTPSA id 4C5303C12D1; Mon, 31 Oct 2011 08:17:42 -0400 (EDT)
Message-ID: <4EAE91E5.8090908@hyperthought.com>
Date: Mon, 31 Oct 2011 05:17:41 -0700
From: "Scott G. Kelly" <scott@hyperthought.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Richard Barnes <rbarnes@bbn.com>
References: <4EAD53ED.60802@hyperthought.com> <EA2977ED-9021-4929-9341-F235C40C84D7@bbn.com>
In-Reply-To: <EA2977ED-9021-4929-9341-F235C40C84D7@bbn.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-geopriv-policy-uri.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] draft-ietf-geopriv-policy-uri-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2011 12:17:45 -0000
Hi Richard,
On 10/30/11 1:19 PM, Richard Barnes wrote:
> <trimmed...>
> Why isn't unauthorized manipulation of the policy information also listed as a risk? Actually, the second paragraph of the security considerations addresses this, ("The mechanism also needs to ensure that only authorized entities are able to acquire or alter policy."), but subsequent text seems to indicate that if the policy URI is not kept secret, there are no further protections.
> Since we're talking about access control policy here, the effect of "manipulation of the policy information" is precisely "unauthorized disclosure of the protected resource". Does that clear thing sup?
I see your point, but manipulation of policy information could also be
used to prevent/deny disclosure too. As I noted below, I have no
experience with these protocols, and this may not matter, but as a
reviewer, I think I should mention it.
>> Am I missing something here, or is secrecy of the URI really the only protection against unauthorized policy manipulation? I have to admit that I have no experience with these protocols, and it may be that this is addressed elsewhere (or truly doesn't matter), but it does feel a bit off.
>
> You're exactly right in that understanding. The idea is that a policy URI is already controlling access control policy on something, so we didn't want to have access control policies for who can access policy URIs (turtles all the way down). That's the reason for all the text about keeping the policy URI secret.
I didn't see any language suggesting that if one wishes to mitigate the
resulting exposure, these URIs should probably be short-lived. Is that
covered in one of the related docs? Again, not sure if this matters,
but as the boilerplate suggests, the purpose of these secdir reviews is
to let the security ADs (who presumably have much more context) know if
there's anything they should be aware of, so I pointed it out. Lacking
background and protocol expertise, I don't have any strong position of
my own on this.
--Scott
- [secdir] draft-ietf-geopriv-policy-uri-02 Scott G. Kelly
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Richard Barnes
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Scott G. Kelly
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Richard Barnes
- Re: [secdir] draft-ietf-geopriv-policy-uri-02 Scott G. Kelly