[secdir] Secdir review of draft-ietf-scim-core-schema-18

"Brian Weis (bew)" <bew@cisco.com> Mon, 04 May 2015 17:39 UTC

Return-Path: <bew@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 76CC81A1BB4; Mon, 4 May 2015 10:39:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id LJq1GrITYYli; Mon, 4 May 2015 10:39:49 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E5871A870E; Mon, 4 May 2015 10:39:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2368; q=dns/txt; s=iport; t=1430761189; x=1431970789; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=n8t9APKPorvc1yb6WhNQRkw80ySJ5FBbthbumSuVLAc=; b=HS+G5VFytcUDOHiTcJYGSeuBcb5lKFGfj8wsi9/b2Klgvy2mkm97t/I6 vXRHrOCagc1lnDndw5A+r4MKpSJTg93Tcc4tE21i+ta3RAFM9uebBOOXx avQYZpTTU5lzlTa9BdxxWe2BftXs6qO81bYxpbgldRycWwXk0LDstkeDG o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.13,366,1427760000"; d="scan'208";a="146864981"
Received: from alln-core-5.cisco.com ([]) by alln-iport-8.cisco.com with ESMTP; 04 May 2015 17:39:48 +0000
Received: from xhc-aln-x11.cisco.com (xhc-aln-x11.cisco.com []) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id t44Hdmsf030539 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 4 May 2015 17:39:48 GMT
Received: from xmb-aln-x04.cisco.com ([]) by xhc-aln-x11.cisco.com ([]) with mapi id 14.03.0195.001; Mon, 4 May 2015 12:39:48 -0500
From: "Brian Weis (bew)" <bew@cisco.com>
To: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Secdir review of draft-ietf-scim-core-schema-18
Thread-Index: AQHQhpFRcajFEh9bqUu5ZrnFZSPoLw==
Date: Mon, 4 May 2015 17:39:48 +0000
Message-ID: <97FFF87E-5CFC-42BB-90A8-29DBE30C7772@cisco.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <3C599E7071641A4EA0DC662A7139F9B5@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/hlLZCmosHsh4PCuo1g8xp_SrpOM>
Cc: "draft-ietf-scim-core-schema.all@tools.ietf.org" <draft-ietf-scim-core-schema.all@tools.ietf.org>
Subject: [secdir] Secdir review of draft-ietf-scim-core-schema-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 17:39:51 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

For the security area directions, I consider this document to be "Ready with nits”.

This document documents resources a JSON scheme for Cross-Domain Identity Management, a standard definition of attributes representing users and groups, and a set of named schemas incorporating these attributes. The goal of the document  is to make identity management in cloud based applications and services easier. This is used when identity information needs to be shared between services.

The Security Considerations (Section 9) in version 18 is reasonably clear in the first two sub-sections that there are risks to sensitive information defined in the schema, these sub-sections point to helpful text in draft-ietf-scim. It is much improved over version 17. I have a couple of comments suggesting clarification be added to the document.

Section 9.3 begins by stating the schema “defines attributes that MAY contain personally identifiable information as well as other sensitive data”. I don’t understand the “MAY”. Just about every attribute described in this document is arguably personally identifiable information (PII), since transporting PII between services seems to be the actual need for development of the schema. It seems more accurate to say “defines attributes that contain personally identifiable information as well as other sensitive data”. (Also “MAY” is intended to declare a part of the standard that is optional for an implementation, and I don’t see how that could apply here.)

Section 4.1.1 defines the “password” attribute as a “clear text password”. It is much safer to store and pass a salted and hashed password. Do none of the services using this schema support a method of hashing a user password to see if it matches a given hashed value ? Or could this be an option in the scheme definition? If so, it would be worth describing that here and in the Security Considerations section.