[secdir] SecDir review of draft-ietf-appsawg-about-uri-scheme

Warren Kumari <warren@kumari.net> Tue, 01 May 2012 21:03 UTC

Return-Path: <warren@kumari.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id ACDA621E80F6; Tue, 1 May 2012 14:03:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.544
X-Spam-Status: No, score=-106.544 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id dw2solkldeGz; Tue, 1 May 2012 14:03:31 -0700 (PDT)
Received: from vimes.kumari.net (vimes.kumari.net []) by ietfa.amsl.com (Postfix) with ESMTP id 3A43B21E8053; Tue, 1 May 2012 14:03:31 -0700 (PDT)
Received: from dhcp-172-19-119-246.cbf.corp.google.com (unknown []) by vimes.kumari.net (Postfix) with ESMTPSA id 7CFCF1B40098; Tue, 1 May 2012 17:03:30 -0400 (EDT)
From: Warren Kumari <warren@kumari.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Tue, 1 May 2012 17:03:28 -0400
Message-Id: <B85D2730-FB02-4AF6-9C32-FBB0F7509670@kumari.net>
To: draft-ietf-appsawg-about-uri-scheme.all@tools.ietf.org
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Cc: IESG IESG <iesg@ietf.org>, secdir@ietf.org
Subject: [secdir] SecDir review of draft-ietf-appsawg-about-uri-scheme
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2012 21:03:31 -0000


Do not be alarmed...
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document codifies an existing mechanism, used by lots of browsers. It creates a registry for specific about:<something> tokens, where the only (currently) defined token is "blank", which, surprisingly enough, brings up a blank page...

The "Security Considerations" section exists, and is well written. It punts much of the security to the application -- IMO this is the correct thing to do in this case.