Re: [secdir] Security review of draft-ietf-calsify-rfc2447bis-10

Alexey Melnikov <alexey.melnikov@isode.com> Sun, 05 September 2010 22:25 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 241FC3A686A; Sun, 5 Sep 2010 15:25:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.539
X-Spam-Level:
X-Spam-Status: No, score=-102.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uCR9Qm850hLa; Sun, 5 Sep 2010 15:25:52 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id B575B3A685B; Sun, 5 Sep 2010 15:25:51 -0700 (PDT)
Received: from [188.28.78.136] (188.28.78.136.threembb.co.uk [188.28.78.136]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <TIQZCQBIEGdu@rufus.isode.com>; Sun, 5 Sep 2010 23:26:19 +0100
Message-ID: <4C8418DF.6010703@isode.com>
Date: Sun, 05 Sep 2010 23:25:35 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Hilarie Orman <hilarie@purplestreak.com>
References: <201009022339.o82NdAic027378@fermat.rhmr.com>
In-Reply-To: <201009022339.o82NdAic027378@fermat.rhmr.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Security review of draft-ietf-calsify-rfc2447bis-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Sep 2010 22:25:53 -0000

Hi Hilarie,

Hilarie Orman wrote:

>Security review of draft-ietf-calsify-rfc2447bis-10
>
>Do not be alarmed.  I have reviewed this document as part of the
>security directorate's ongoing effort to review all IETF documents
>being processed by the IESG.  These comments were written primarily
>for the benefit of the security area directors. Document editors and
>WG chairs should treat these comments just like any other review
>comments.
>  
>
Thank you for your review.

>The document describes the "iCalendar Message-Based Interoperability
>Protocol (iMIP)", a protocol for transmitting calendar events over
>SMTP.
>
>The security considerations are tied to authenticating the entity
>with the role of "Organizer" or "Attendee".  The authentication
>relies on MIME security for attaching signatures and public key
>certificates.  The SMTP sender is not relevant to the authentication.
>
>I'm slightly puzzled by the first step listed in "Security
>Considerations" about the steps needed to perform authentication.
>
>   1. Using the security mechanism compliant with [RFC-1847], determine
>   who signed the email message containing the iCalendar object. This is
>   the "signer".  Note that the signer is not necessarily the person
>   sending an e-mail message since an e-mail message can be forwarded.
>
>The confusion stems from the phrases "who signed the email message"
>and "the person sending".  Would "who signed the MIME calendar part"
>
Yes. I think saying "who signed the text/calendar body part ..." would 
be even better.

>and "the SMTP message sender" be more accurate?
>
Actually no. In general case SMTP message sender (i.e. the SMTP MAIL 
FROM value) has nothing to do with who is sending out the message (value 
of the message's Sender: header field). So this text is talking about 
the person associated with the Sender header field.

>  I think that MIME
>allows each part to have a different signer, and I think the protocol
>anticipates having MIME parts separated from the original SMTP message
>and forwarded in a different SMTP message.  If that's the case, the
>rephrasing would make sense to me.
>  
>
I would prefer to do the first change and not do anything about the second.

>There is an obvious slippery slope in the iCal "sent-by" parameter.
>It conflicts with the "organizer".  The receiver is left with a
>dilemna: to authenticate wrt to the "sent-by" entity,
>
I think this is the only viable option the way how calendaring and email 
is done today.

>or to insist on a signature by the "organizer".
>
>It seems to me that the "organizer"
>could have signed the event (including the "sent-by" parameter) in
>advance and given the MIME parts to the sender, so there is no need to
>trust the "sent-by" entity.
>
Delegation doesn't currently work this way and I don't think this is 
likely to change. When "sent-by" is used the organizer delegates all 
handling (out-of-band or using some kind of authorization) to another 
person. The organizer is not involved in creating the event. Think of 
this as a case when a boss tells her secretary to organize a meeting. 
The boss is not going to create the meeting event, sign it and send it 
to the secretary. If the boss does it, there is no reason to use 
"sent-by" at all, as the calendar event can be just sent out by the boss.

>Or, the receiver could have a list of
>trusted <sent-by, organizer> proxies in its local security policy.
>
This is more likely. For example if the organizer and the receiver are 
in the same organization.

Or the receiver can phone the organizer and ask if this was truly 
authorized (out-of-band verification).

>But, in general, I think that an event signed by an unknown or
>untrusted party should be given no special considertion --- it is the
>same as receiving an unsigned event, and "sent-by" is as irrelevant as
>the SMTP sender.
>
In absence of any other information about organizer authorizing the 
"sent-by", I agree.
But I think the existing text on this is adequate:

   It is possible to receive iMIP messages sent by someone working on
   behalf of another "Calendar User". This is determined by examining
   the "sent-by" parameter in the relevant "ORGANIZER" or "ATTENDEE"
   property.  [iCAL] and [iTIP] provide no mechanism to verify that a
   "Calendar User" has authorized someone else to work on their behalf.
   To address this security issue, implementations MUST provide
   mechanisms for the "Calendar Users" to make that decision before
   applying changes from someone working on behalf of a "Calendar User".
   One way to achieve this is to reject iMIP messages sent by users
   other than the "ORGANIZER" or the "ATTENDEE"s.

This covers the case "treat as untrusted".

   Another way is to
   prompt the user for confirmation.

   iMIP based calendaring is frequently deployed within a single ADMD
   (Administrative Domain) [RFC5598], with boundary filtering employed
   to restrict email calendaring flows to be inside the ADMD. This can
   help in minimizing malicious changes to calendaring messages in
   transit, as well as in making authorization decisions easier.

Please let me know if you think that some other text needs to be added, or that the quoted text needs to be modified.


Regards,
Alexey