Return-Path: <stefan@aaa-sec.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
 with ESMTP id 233BA3A6821 for <secdir@core3.amsl.com>;
 Wed, 28 Apr 2010 02:16:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.905
X-Spam-Level: 
X-Spam-Status: No, score=0.905 tagged_above=-999 required=5 tests=[AWL=0.157,
 BAYES_50=0.001, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396,
 RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQ9Bakz3CKpa for
 <secdir@core3.amsl.com>; Wed, 28 Apr 2010 02:16:42 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.94.112]) by core3.amsl.com
 (Postfix) with ESMTP id 61A773A68C0 for <secdir@ietf.org>;
 Wed, 28 Apr 2010 02:16:31 -0700 (PDT)
Received: from s42.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se
 (Postfix) with ESMTP id 19F83295265 for <secdir@ietf.org>;
 Wed, 28 Apr 2010 11:16:21 +0200 (CEST)
Received: (qmail 19783 invoked from network); 28 Apr 2010 09:16:17 -0000
Received: from unknown (HELO [192.168.1.3]) (stefan@fiddler.nu@[85.235.2.114])
 (envelope-sender <stefan@aaa-sec.com>) by s42.loopia.se (qmail-ldap-1.03)
 with DES-CBC3-SHA encrypted SMTP for <iesg@ietf.org>;
 28 Apr 2010 09:16:17 -0000
User-Agent: Microsoft-Entourage/12.24.0.100205
Date: Wed, 28 Apr 2010 11:16:16 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: <iesg@ietf.org>, <secdir@ietf.org>,
 <draft-reschke-webdav-post.all@tools.ietf.org>
Message-ID: <C7FDC980.A6AF%stefan@aaa-sec.com>
Thread-Topic: SecDir revirw of draft-reschke-webdav-post-06
Thread-Index: Acrms3RowQqEr07Et0mx5OXmAwiH4w==
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3355298177_26142149"
Subject: [secdir] SecDir revirw of draft-reschke-webdav-post-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
 <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
 <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2010 09:16:43 -0000

> This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

--B_3355298177_26142149
Content-type: text/plain;
	charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable


I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This document inherits the security considerations of WebDAV as well as XML=
.
RFC 4918 clearly identifies that WebDAV, through its nature of providing
users with capabilities to change and collect information from web servers,
introduces a number of security issues which need to be addressed through
means of protected and authenticated communication.

Rather than introducing completely new functions to WebDAV, the current
draft specifies the meaning existing functions as well as means of
discovering server support for this draft.

>From this perspective I can=B9t see that this draft introduce new risks that
are not already addressed in the security considerations section of this
draft or inherited sections form other documents (such as RFC 4918).

/Stefan Santesson

--B_3355298177_26142149
Content-type: text/html;
	charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable

<HTML>
<HEAD>
<TITLE>SecDir revirw of draft-reschke-webdav-post-06</TITLE>
</HEAD>
<BODY>
<FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=3D'font-size:11pt=
'><BR>
I have reviewed this document as part of the security directorate's ongoing=
 effort to review all IETF documents being processed by the IESG. &nbsp;Thes=
e comments were written primarily for the benefit of the security area direc=
tors. &nbsp;Document editors and WG chairs should treat these comments just =
like any other last call comments.<BR>
<BR>
This document inherits the security considerations of WebDAV as well as XML=
. RFC 4918 clearly identifies that WebDAV, through its nature of providing u=
sers with capabilities to change and collect information from web servers, i=
ntroduces a number of security issues which need to be addressed through mea=
ns of protected and authenticated communication.<BR>
<BR>
Rather than introducing completely new functions to WebDAV, the current dra=
ft specifies the meaning existing functions as well as means of discovering =
server support for this draft.<BR>
<BR>
>From this perspective I can&#8217;t see that this draft introduce new risks=
 that are not already addressed in the security considerations section of th=
is draft or inherited sections form other documents (such as RFC 4918).<BR>
<BR>
/Stefan Santesson</SPAN></FONT>
</BODY>
</HTML>


--B_3355298177_26142149--