[secdir] SecDir revirw of draft-reschke-webdav-post-06

Stefan Santesson <stefan@aaa-sec.com> Wed, 28 April 2010 09:16 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 233BA3A6821 for <secdir@core3.amsl.com>; Wed, 28 Apr 2010 02:16:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.905
X-Spam-Level:
X-Spam-Status: No, score=0.905 tagged_above=-999 required=5 tests=[AWL=0.157, BAYES_50=0.001, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQ9Bakz3CKpa for <secdir@core3.amsl.com>; Wed, 28 Apr 2010 02:16:42 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.94.112]) by core3.amsl.com (Postfix) with ESMTP id 61A773A68C0 for <secdir@ietf.org>; Wed, 28 Apr 2010 02:16:31 -0700 (PDT)
Received: from s42.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 19F83295265 for <secdir@ietf.org>; Wed, 28 Apr 2010 11:16:21 +0200 (CEST)
Received: (qmail 19783 invoked from network); 28 Apr 2010 09:16:17 -0000
Received: from unknown (HELO [192.168.1.3]) (stefan@fiddler.nu@[85.235.2.114]) (envelope-sender <stefan@aaa-sec.com>) by s42.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <iesg@ietf.org>; 28 Apr 2010 09:16:17 -0000
User-Agent: Microsoft-Entourage/12.24.0.100205
Date: Wed, 28 Apr 2010 11:16:16 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: <iesg@ietf.org>, <secdir@ietf.org>, <draft-reschke-webdav-post.all@tools.ietf.org>
Message-ID: <C7FDC980.A6AF%stefan@aaa-sec.com>
Thread-Topic: SecDir revirw of draft-reschke-webdav-post-06
Thread-Index: Acrms3RowQqEr07Et0mx5OXmAwiH4w==
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3355298177_26142149"
Subject: [secdir] SecDir revirw of draft-reschke-webdav-post-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2010 09:16:43 -0000

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This document inherits the security considerations of WebDAV as well as XML.
RFC 4918 clearly identifies that WebDAV, through its nature of providing
users with capabilities to change and collect information from web servers,
introduces a number of security issues which need to be addressed through
means of protected and authenticated communication.

Rather than introducing completely new functions to WebDAV, the current
draft specifies the meaning existing functions as well as means of
discovering server support for this draft.

>From this perspective I canĀ¹t see that this draft introduce new risks that
are not already addressed in the security considerations section of this
draft or inherited sections form other documents (such as RFC 4918).

/Stefan Santesson