Re: [secdir] Review of draft-ietf-xcon-common-data-model-23.txt

Oscar Novo <oscar.novo@ericsson.com> Thu, 03 March 2011 14:23 UTC

Return-Path: <oscar.novo@ericsson.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE5DA3A67F9; Thu, 3 Mar 2011 06:23:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4NWYx2GwB0Du; Thu, 3 Mar 2011 06:23:08 -0800 (PST)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by core3.amsl.com (Postfix) with ESMTP id 493F23A68AD; Thu, 3 Mar 2011 06:23:07 -0800 (PST)
X-AuditID: c1b4fb3d-b7bbbae000005311-21-4d6fa48e64bc
Received: from esessmw0237.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id D9.1B.21265.E84AF6D4; Thu, 3 Mar 2011 15:24:14 +0100 (CET)
Received: from ESESSCMS0355.eemea.ericsson.se ([169.254.1.115]) by esessmw0237.eemea.ericsson.se ([153.88.115.90]) with mapi; Thu, 3 Mar 2011 15:24:12 +0100
From: Oscar Novo <oscar.novo@ericsson.com>
To: Tero Kivinen <kivinen@iki.fi>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Date: Thu, 3 Mar 2011 15:24:11 +0100
Thread-Topic: Review of draft-ietf-xcon-common-data-model-23.txt
Thread-Index: AcvZo86eQ800UJ0oR5izK08lxz4OpwABgaFw
Message-ID: <58E207308662A748A4AC1ECB4E885614052D3DE6F2@ESESSCMS0355.eemea.ericsson.se>
References: <19823.37439.966900.314499@fireball.kivinen.iki.fi>
In-Reply-To: <19823.37439.966900.314499@fireball.kivinen.iki.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Thu, 03 Mar 2011 07:34:33 -0800
Cc: "draft-ietf-xcon-common-data-model.all@tools.ietf.org" <draft-ietf-xcon-common-data-model.all@tools.ietf.org>
Subject: Re: [secdir] Review of draft-ietf-xcon-common-data-model-23.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 14:23:10 -0000

Hello Tero,

Thank you very much for your comments. They're really valuable. 

The authors of this document understand the Security considerations as a general guidelines for the implementers, rather than a set of absolute requirement for this specification. It might be the case in some particular scenarios where the confidentiality can be ignored. For this reason, we decided not to impose confidentiality (using SHOULD instead of MUST) in the document and to leave that decision to the administrator of the conference.  

The same reason applies to the definition in this document of 'private elements'. Privacy is a subjective expectation and the definition of private elements in the conference depends very much on the context of such conference. As you point out, every country, company, association or entity would have a completely different meaning of privacy. For this reason, we just decided to suggest some control and integrity of the data ( by using access control rules) in the security section instead of imposing it:    

   In order to minimize these threats, the
   administrator of the conferencing system MUST ensure that only
   authorized users can connect to this database (e.g., by using access
   control rules).  In particular, the integrity of the database MUST be
   protected against unauthorized modifications.

Cheers,

Oscar

-----Original Message-----
From: Tero Kivinen [mailto:kivinen@iki.fi] 
Sent: 3. maaliskuuta 2011 15:06
To: iesg@ietf.org; secdir@ietf.org
Cc: draft-ietf-xcon-common-data-model.all@tools.ietf.org
Subject: Review of draft-ietf-xcon-common-data-model-23.txt

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document contains xml data model description for conference information. As this is data model and does not list any actual protocols to transmit those xml files its security considerations section is quite generic.

It does say that database access must be authorized (access control
rules) and that integrity of the database MUST be protected against unauthorized modifications. How this is done is left to the actual protocol documents.

It does NOT require confidentiality of the database, but instead says:

   The confidentiality of the database SHOULD be protected from
   unauthorized users, given that the data model contains a set of
   sensitive elements (e.g., passwords).  

I do not agree on that comment. If the data model contains sensitive elements like passwords I think the confidentiality MUST be protected from unauthorized users.

If it is possible that the data model does not contain any sensitive elements then I think the SHOULD could be enough. Also it does not specify what data in the data model is sensitive.

Also the security considerations section completely fails to address the fact that the database most likely also contain data that has privacy issues. For example the list of users participating the specific conference could be quite big privacy issue (for example some group of human rights people discussing issues about their own goverment). Note, that this also might require some discussion about the lifetime of the data in the database. I.e. when is the list of participants removed from the database and how long it is stored there.

In most countries there are specific laws protecting such information, so those might require preventing unauthorized access to the database.

Also as there is fields like provide-anonymity in the database which tells which user is mapped to which "anonymous" name for users to see, but if someone gets read access to the database that person can directly map those anonoymous users to their real identities.

I think the security consideation sections should include text about the privacy issues, and most likely mandate support for confidentiality of the database, and preventing unauthorized read access to it. 
--
kivinen@iki.fi