Re: [secdir] Security review of draft-hodges-webauthn-registries-05

Roman Danyliw <rdd@cert.org> Tue, 19 May 2020 17:56 UTC

Return-Path: <rdd@cert.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A085E3A0DCF; Tue, 19 May 2020 10:56:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8_JXIyYc_WOo; Tue, 19 May 2020 10:56:06 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A2083A0DC9; Tue, 19 May 2020 10:56:05 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 04JHu4eJ005162; Tue, 19 May 2020 13:56:04 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 04JHu4eJ005162
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1589910964; bh=rm/kOk8u+UFntsZ+81oGMxC4kliB6yyQzuRcb0voq48=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=gR9g0PaV2ssjuPDJfbqrF77HFNvOiAu6V8X//cg9wWeDig6YceiIEQz+0YiYRiSJK ELiz1qoDQZfctvnoZMvhvK6iA6cYU/LnHfg8mXQ3q98nDJYwks6wbC7A5p5E+RF6Pe y9Fuv/fPNT6qgSs+EcTWO4Ey7yYJjSZRgDupJ664=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 04JHtxmq013453; Tue, 19 May 2020 13:55:59 -0400
Received: from MURIEL.ad.sei.cmu.edu (147.72.252.47) by CASSINA.ad.sei.cmu.edu (10.64.28.249) with Microsoft SMTP Server (TLS) id 14.3.487.0; Tue, 19 May 2020 13:55:59 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Tue, 19 May 2020 13:55:59 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%22]) with mapi id 15.01.1847.007; Tue, 19 May 2020 13:55:58 -0400
From: Roman Danyliw <rdd@cert.org>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, Hilarie Orman <hilarie@purplestreak.com>
CC: "draft-hodges-webauthn-registries.all@ietf.org" <draft-hodges-webauthn-registries.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Security review of draft-hodges-webauthn-registries-05
Thread-Index: AdYqHkFswnU29etfSlas2pmc9tnnCQAM5hyAAO0RE5A=
Date: Tue, 19 May 2020 17:55:58 +0000
Message-ID: <775e5075c6a048db865c752ac8fc5506@cert.org>
References: <MN2PR00MB0686DD46C2E7EA5611233537F5BC0@MN2PR00MB0686.namprd00.prod.outlook.com> <MN2PR00MB0686758F6A2235D30E23778EF5BC0@MN2PR00MB0686.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB0686758F6A2235D30E23778EF5BC0@MN2PR00MB0686.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.68]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/mvrM0MIgPCBg68y67snpYDobowM>
Subject: Re: [secdir] Security review of draft-hodges-webauthn-registries-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2020 17:56:10 -0000

Hi Hilarie, thank you for this review.  

Hi Mike, thank you for incorporating the feedback.  

I entered a No Objection ballot.

Regards,
Roman

> -----Original Message-----
> From: iesg <iesg-bounces@ietf.org> On Behalf Of Mike Jones
> Sent: Thursday, May 14, 2020 4:43 PM
> To: Hilarie Orman <hilarie@purplestreak.com>om>; kaduk@mit.edu
> Cc: draft-hodges-webauthn-registries.all@ietf.org; iesg@ietf.org;
> secdir@ietf.org
> Subject: RE: Security review of draft-hodges-webauthn-registries-05
> 
> The duplicate URI has been removed from https://tools.ietf.org/html/draft-
> hodges-webauthn-registries-07#section-6.2.  We should be good to go now!
> 
> 				Thanks again,
> 				-- Mike
> 
> -----Original Message-----
> From: Mike Jones
> Sent: Thursday, May 14, 2020 11:34 AM
> To: Hilarie Orman <hilarie@purplestreak.com>
> Cc: secdir@ietf.org; iesg@ietf.org; kaduk@mit.edu; draft-hodges-webauthn-
> registries.all@ietf.org
> Subject: RE: Security review of draft-hodges-webauthn-registries-05
> 
> Oh, I see what you mean now.  I didn't realize that the tool wouldn't coalesce
> multiple instances of the same URI to a single reference.  I'll do something to
> eliminate the duplication now.
> 
> 				Thanks again,
> 				-- Mike
> 
> -----Original Message-----
> From: Hilarie Orman <hilarie@purplestreak.com>
> Sent: Thursday, May 14, 2020 10:23 AM
> To: Mike Jones <Michael.Jones@microsoft.com>
> Cc: secdir@ietf.org; iesg@ietf.org; kaduk@mit.edu; draft-hodges-webauthn-
> registries.all@ietf.org
> Subject: RE: Security review of draft-hodges-webauthn-registries-05
> 
> The only nit, then, is that the URI was listed twice in section 6.2.  It is listed in
> entry 6 and entry 9.
> 
> Hilarie
> 
> >  Thanks for the review, Hilarie.  My replies are inline below, prefixed by
> "Mike>".
> 
> >  -----Original Message-----
> >  From: Hilarie Orman <hilarie@purplestreak.com>
> >  Sent: Monday, April 27, 2020 9:42 PM
> >  To: iesg@ietf.org; secdir@ietf.org
> >  Cc: draft-hodges-webauthn-registries.all@ietf.org
> >  Subject: Security review of draft-hodges-webauthn-registries-05
> 
> >	  Security review of Registries for Web Authentication
> >		  draft-hodges-webauthn-registries-05
> 
> >  Do not be alarmed.  I generated this review of this document as part of the
> security directorate's ongoing effort to review all IETF documents being
> processed by the IESG.  These comments were written with the intent of
> improving security requirements and considerations in IETF drafts.  Comments
> not addressed in last call may be included in AD reviews during the IESG review.
> Document editors and WG chairs should treat these comments just like any
> other last call comments.
> 
> >  This document establishes two registries required for the W3C Web
> Authentication system.  The registries are for the WebAuthn Attestation
> Statement Format Identifier and the WebAuthn Extension Identifier.
> 
> >  When submitted, these entries must be approved by an "expert" based on
> the specification that defines the parameters of the entry.  This includes
> "security considerations", which is good.  I don't quite see how submission of a
> request for a new entry gets routed to an expert, how experts come into being,
> etc., but I suppose that is a W3C procedure.
> 
> >  A couple of nits.
> 
> >  This url is listed twice in the URIs:
> >  https://www.iana.org/assignments/webauthn
> >  but it does not exist.  I expected at least a TBD message, unless the address
> itself is a placeholder.
> 
> >  Mike> The draft includes this TBD text "[[ Per discussions in an email thread
> between the authors and IANA ( "[IANA #1154148]" ), it is requested that the
> registries be located at <https://www.iana.org/assignments/webauthn>. RFC
> Editor - please delete this request after the registries have been created. ]]"
> before the two occurrences that you cite.
> 
> >  In 2.1
> >  "The Experts(s) MAY also designate attestation
> >     statement formats as proprietary if they lack complete
> >     specifications, and will assign a prefix indicating as such to the
> >     identifier."
> >  It is not clear what the format of that prefix is or how indicates "as such".  Is
> that an indication that it is proprietary or (and?) that it is incomplete?
> 
> >  Mike>  The text you cited is unnecessary for the purposes of the specification
> and will be deleted.
> 
> >  Hilarie
> 
> >  Mike> You can see proposed updated source for -06 at
> https://github.com/w3c/webauthn/pull/1415 .
> 
> >				   Thanks again,
> >				   -- Mike