Re: [secdir] SecDir review of draft-ietf-calsify-2446bis-09

Yaron Sheffer <yaronf@checkpoint.com> Tue, 22 September 2009 21:48 UTC

Return-Path: <yaronf@checkpoint.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4159A3A69E8 for <secdir@core3.amsl.com>; Tue, 22 Sep 2009 14:48:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.5
X-Spam-Level:
X-Spam-Status: No, score=-2.5 tagged_above=-999 required=5 tests=[AWL=0.099, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FwW8OZ4UxFF6 for <secdir@core3.amsl.com>; Tue, 22 Sep 2009 14:48:06 -0700 (PDT)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id CB66B3A69F0 for <secdir@ietf.org>; Tue, 22 Sep 2009 14:46:57 -0700 (PDT)
X-CheckPoint: {4AB944EB-6-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id CAD4D29C004; Wed, 23 Sep 2009 00:47:11 +0300 (IDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 940A329C002; Wed, 23 Sep 2009 00:47:11 +0300 (IDT)
X-CheckPoint: {4AB944EB-0-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id n8MLlASr019708; Wed, 23 Sep 2009 00:47:11 +0300 (IDT)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Wed, 23 Sep 2009 00:47:10 +0300
From: Yaron Sheffer <yaronf@checkpoint.com>
To: Cyrus Daboo <cyrus@daboo.name>, secdir <secdir@ietf.org>, "draft-ietf-calsify-2446bis.all@tools.ietf.org" <draft-ietf-calsify-2446bis.all@tools.ietf.org>
Date: Wed, 23 Sep 2009 00:47:07 +0300
Thread-Topic: SecDir review of draft-ietf-calsify-2446bis-09
Thread-Index: Aco7mkYE5V6mZaekRqOgE6+oPowwrAAMkC8Q
Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC80190AD3286D2@il-ex01.ad.checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC80190AD328370@il-ex01.ad.checkpoint.com> <7236D8B61D923C0A53A03F7E@caldav.corp.apple.com>
In-Reply-To: <7236D8B61D923C0A53A03F7E@caldav.corp.apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [secdir] SecDir review of draft-ietf-calsify-2446bis-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2009 21:48:32 -0000

Hi Cyrus,

[removing IESG].

Thanks for accepting my review. Please see my remaining responses inline.

Thanks,
	Yaron

> -----Original Message-----
> From: Cyrus Daboo [mailto:cyrus@daboo.name]
> Sent: Tuesday, September 22, 2009 18:35
> To: Yaron Sheffer; secdir; iesg@ietf.org; draft-ietf-calsify-
> 2446bis.all@tools.ietf.org
> Subject: Re: SecDir review of draft-ietf-calsify-2446bis-09
> 
> Hi Yaron,
> Thank you for your review.
> 
> --On September 21, 2009 9:02:17 AM +0300 Yaron Sheffer
> <yaronf@checkpoint.com>; wrote:
> 
> > Reality Check
> >
> >
> >
> > If basing the entire security of the protocol on S/MIME may have been
> > reasonable in 1998, today this is almost meaningless. S/MIME is too
> > rarely used to protect mail in transit, and I would imagine its use to
> > protect calendaring is even less prevalent.
> 
> This is a good point. In fact with CalDAV we are doing iTIP scheduling
> over
> HTTP with SSL and S/MIME is not involved at all. Given Eliot's comment
> about the nature of iTIP (i.e. transport independence) at this point it
> may
> be best to remove the explicit MUST for S/MIME.
> 
[YS] Well in fact, having read the first paragraph of Sec. 15 of CalDAV, I would recommend that you add more depth to your use of SSL. Just saying "Servers and clients MUST use an HTTP connection protected with TLS as defined in [RFC2818] for all scheduling transactions" will not give you the security that you need. Things like how clients are authenticated, and what fields in the calendar objects must match which certificate fields.

> Proposal:
> 
> Section 6.2: remove the sentence:
> 
>    This may be accomplished using
>    public key technology, specifically Security Multiparts for MIME
>    [RFC1847] in the iTIP transport binding.
> 
> Section 6.2.1: change title to: "Securing iTIP transactions"
> 
> Change first sentence to:
> 
>    iTIP transport bindings MUST provide a mechanism to enable
> authentication of the
>    sender's identity, and privacy and integrity of the data being
>    transmitted.
> 
> The reference to 1847 would be removed entirely.


[YS] If there are still bindings that do use S/MIME, you might want to have "if S/MIME is used to provide these assurances..." and the rest of the existing subsection.
> 
> > Security
> >
> >
> >
> > - In Sec. 6.2, replace "encrypted" by "encrypted and
> > authenticated".
> 
> Fixed in my working copy.
> 
> > - An attack that is never mentioned is unauthorized creation of events.
> 
> > In many enterprise situations not everyone is authorized to invite the
> > CEO, for example. Similarly, there may be tight control over who is
> > allowed to delegate to whom. This obviously calls for an access control
> > mechanism, something that is never mentioned in the document.
> 
> Good point. In CalDAV scheduling
> (<http://tools.ietf.org/html/draft-desruisseaux-caldav-sched>) we have in
> fact used WebDAV ACL with a new set of privileges to allow just that. This
> actually goes a little beyond just access control. For example, with iMIP
> (email) there is no way to prevent someone from sending an iMIP message to
> someone else. In that case email filtering needs to be used to enforce
> restrictions. Whilst the specific details of how all that should work
> depends on the transport, something does need to be said in this document.
> Therefore I propose adding the following:
> 
> 6.2.3 Access Controls and Filtering
> 
>     In many environments there could be restrictions on who is allowed to
>     scheduled with whom, and who allowed delegates are for particular
>     calendar users.
> 
>     iTIP transport bindings SHOULD provide mechanisms for implementing
>     access controls or filtering to ensure iTIP transactions only take
>     place between authorized calendar users. That would include preventing
>     one calendar user from scheduling with another, or a calendar user
>     delegating to another.
[YS] Sounds good.
> 
> 
> 
> > Nits
> >
> >
> >
> > - 1.4: in table, objecy -> object
> >
> > - 3.2.5 and 3.4.5: is MUST -> MUST
> 
> Both fixed in my working copy.
> 
> --
> Cyrus Daboo
> 
> 
> Scanned by Check Point Total Security Gateway.

Email secured by Check Point

Email secured by Check Point