Re: [secdir] Security review of draft-hodges-webauthn-registries-05
Roman Danyliw <rdd@cert.org> Tue, 19 May 2020 17:56 UTC
Return-Path: <rdd@cert.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A085E3A0DCF; Tue, 19 May 2020 10:56:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8_JXIyYc_WOo; Tue, 19 May 2020 10:56:06 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A2083A0DC9; Tue, 19 May 2020 10:56:05 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 04JHu4eJ005162; Tue, 19 May 2020 13:56:04 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 04JHu4eJ005162
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1589910964; bh=rm/kOk8u+UFntsZ+81oGMxC4kliB6yyQzuRcb0voq48=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=gR9g0PaV2ssjuPDJfbqrF77HFNvOiAu6V8X//cg9wWeDig6YceiIEQz+0YiYRiSJK ELiz1qoDQZfctvnoZMvhvK6iA6cYU/LnHfg8mXQ3q98nDJYwks6wbC7A5p5E+RF6Pe y9Fuv/fPNT6qgSs+EcTWO4Ey7yYJjSZRgDupJ664=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 04JHtxmq013453; Tue, 19 May 2020 13:55:59 -0400
Received: from MURIEL.ad.sei.cmu.edu (147.72.252.47) by CASSINA.ad.sei.cmu.edu (10.64.28.249) with Microsoft SMTP Server (TLS) id 14.3.487.0; Tue, 19 May 2020 13:55:59 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Tue, 19 May 2020 13:55:59 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%22]) with mapi id 15.01.1847.007; Tue, 19 May 2020 13:55:58 -0400
From: Roman Danyliw <rdd@cert.org>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, Hilarie Orman <hilarie@purplestreak.com>
CC: "draft-hodges-webauthn-registries.all@ietf.org" <draft-hodges-webauthn-registries.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Security review of draft-hodges-webauthn-registries-05
Thread-Index: AdYqHkFswnU29etfSlas2pmc9tnnCQAM5hyAAO0RE5A=
Date: Tue, 19 May 2020 17:55:58 +0000
Message-ID: <775e5075c6a048db865c752ac8fc5506@cert.org>
References: <MN2PR00MB0686DD46C2E7EA5611233537F5BC0@MN2PR00MB0686.namprd00.prod.outlook.com> <MN2PR00MB0686758F6A2235D30E23778EF5BC0@MN2PR00MB0686.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB0686758F6A2235D30E23778EF5BC0@MN2PR00MB0686.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.68]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/mvrM0MIgPCBg68y67snpYDobowM>
Subject: Re: [secdir] Security review of draft-hodges-webauthn-registries-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2020 17:56:10 -0000
Hi Hilarie, thank you for this review. Hi Mike, thank you for incorporating the feedback. I entered a No Objection ballot. Regards, Roman > -----Original Message----- > From: iesg <iesg-bounces@ietf.org> On Behalf Of Mike Jones > Sent: Thursday, May 14, 2020 4:43 PM > To: Hilarie Orman <hilarie@purplestreak.com>; kaduk@mit.edu > Cc: draft-hodges-webauthn-registries.all@ietf.org; iesg@ietf.org; > secdir@ietf.org > Subject: RE: Security review of draft-hodges-webauthn-registries-05 > > The duplicate URI has been removed from https://tools.ietf.org/html/draft- > hodges-webauthn-registries-07#section-6.2. We should be good to go now! > > Thanks again, > -- Mike > > -----Original Message----- > From: Mike Jones > Sent: Thursday, May 14, 2020 11:34 AM > To: Hilarie Orman <hilarie@purplestreak.com> > Cc: secdir@ietf.org; iesg@ietf.org; kaduk@mit.edu; draft-hodges-webauthn- > registries.all@ietf.org > Subject: RE: Security review of draft-hodges-webauthn-registries-05 > > Oh, I see what you mean now. I didn't realize that the tool wouldn't coalesce > multiple instances of the same URI to a single reference. I'll do something to > eliminate the duplication now. > > Thanks again, > -- Mike > > -----Original Message----- > From: Hilarie Orman <hilarie@purplestreak.com> > Sent: Thursday, May 14, 2020 10:23 AM > To: Mike Jones <Michael.Jones@microsoft.com> > Cc: secdir@ietf.org; iesg@ietf.org; kaduk@mit.edu; draft-hodges-webauthn- > registries.all@ietf.org > Subject: RE: Security review of draft-hodges-webauthn-registries-05 > > The only nit, then, is that the URI was listed twice in section 6.2. It is listed in > entry 6 and entry 9. > > Hilarie > > > Thanks for the review, Hilarie. My replies are inline below, prefixed by > "Mike>". > > > -----Original Message----- > > From: Hilarie Orman <hilarie@purplestreak.com> > > Sent: Monday, April 27, 2020 9:42 PM > > To: iesg@ietf.org; secdir@ietf.org > > Cc: draft-hodges-webauthn-registries.all@ietf.org > > Subject: Security review of draft-hodges-webauthn-registries-05 > > > Security review of Registries for Web Authentication > > draft-hodges-webauthn-registries-05 > > > Do not be alarmed. I generated this review of this document as part of the > security directorate's ongoing effort to review all IETF documents being > processed by the IESG. These comments were written with the intent of > improving security requirements and considerations in IETF drafts. Comments > not addressed in last call may be included in AD reviews during the IESG review. > Document editors and WG chairs should treat these comments just like any > other last call comments. > > > This document establishes two registries required for the W3C Web > Authentication system. The registries are for the WebAuthn Attestation > Statement Format Identifier and the WebAuthn Extension Identifier. > > > When submitted, these entries must be approved by an "expert" based on > the specification that defines the parameters of the entry. This includes > "security considerations", which is good. I don't quite see how submission of a > request for a new entry gets routed to an expert, how experts come into being, > etc., but I suppose that is a W3C procedure. > > > A couple of nits. > > > This url is listed twice in the URIs: > > https://www.iana.org/assignments/webauthn > > but it does not exist. I expected at least a TBD message, unless the address > itself is a placeholder. > > > Mike> The draft includes this TBD text "[[ Per discussions in an email thread > between the authors and IANA ( "[IANA #1154148]" ), it is requested that the > registries be located at <https://www.iana.org/assignments/webauthn>. RFC > Editor - please delete this request after the registries have been created. ]]" > before the two occurrences that you cite. > > > In 2.1 > > "The Experts(s) MAY also designate attestation > > statement formats as proprietary if they lack complete > > specifications, and will assign a prefix indicating as such to the > > identifier." > > It is not clear what the format of that prefix is or how indicates "as such". Is > that an indication that it is proprietary or (and?) that it is incomplete? > > > Mike> The text you cited is unnecessary for the purposes of the specification > and will be deleted. > > > Hilarie > > > Mike> You can see proposed updated source for -06 at > https://github.com/w3c/webauthn/pull/1415 . > > > Thanks again, > > -- Mike
- [secdir] Security review of draft-hodges-webauthn… Hilarie Orman
- Re: [secdir] Security review of draft-hodges-weba… Mike Jones
- Re: [secdir] Security review of draft-hodges-weba… Hilarie Orman
- Re: [secdir] Security review of draft-hodges-weba… Mike Jones
- Re: [secdir] Security review of draft-hodges-weba… Mike Jones
- Re: [secdir] Security review of draft-hodges-weba… Roman Danyliw