Re: [secdir] Secdir review of draft-ietf-6man-uri-zoneid-05

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 23 November 2012 07:50 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3030721F8872; Thu, 22 Nov 2012 23:50:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.581
X-Spam-Level:
X-Spam-Status: No, score=-101.581 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uO12qe9XL1Ua; Thu, 22 Nov 2012 23:50:29 -0800 (PST)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id EF4F921F8878; Thu, 22 Nov 2012 23:50:27 -0800 (PST)
Received: by mail-wg0-f44.google.com with SMTP id dr13so299655wgb.13 for <multiple recipients>; Thu, 22 Nov 2012 23:50:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=WXWx8xYSJskGtNJ+/mUriu5QwTEGpzbL5egm0LK47ck=; b=maVURukA4aEGD2sfryGqfrXKGE+NBIm2aloPX7Y0CUdfel1L3JDm8Fd3dbtzIXej9p oQ8oOTB2fAouyPR7TCQEBuhKClZNT/tARsqFnhyeAJOb0S6b/A0gW2Ch/Yuy75V4aJOs t5U4XIps7dv1RbjSCUB+isnO+rUFJhZCxmF7k1v4oKvbNioAe2mTEYvjKuDMPl/0ND1t I6EdLeuV7Ect73r5aDhd74xr6GLuqxEdCuTsU9l5BnVxegxXPelh9Yhs322rE49VCUoI RPUbQB0IPS5M6RaTtIJrWtuRu+QQDnIN6okaQik3Hi89fm4wgRwYxsR5eC7wv0HAmswu 3msA==
Received: by 10.180.87.40 with SMTP id u8mr8175462wiz.3.1353657016908; Thu, 22 Nov 2012 23:50:16 -0800 (PST)
Received: from [192.168.1.65] (host-2-102-219-114.as13285.net. [2.102.219.114]) by mx.google.com with ESMTPS id bn7sm8288510wib.8.2012.11.22.23.50.14 (version=SSLv3 cipher=OTHER); Thu, 22 Nov 2012 23:50:15 -0800 (PST)
Message-ID: <50AF2ABE.4020901@gmail.com>
Date: Fri, 23 Nov 2012 07:50:22 +0000
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Radia Perlman <radiaperlman@gmail.com>
References: <CAFOuuo5SbxQL-mFx9MOmpFgRybTV0qcu7pXZTnvRE=3NVSh7xQ@mail.gmail.com>
In-Reply-To: <CAFOuuo5SbxQL-mFx9MOmpFgRybTV0qcu7pXZTnvRE=3NVSh7xQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-6man-uri-zoneid.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-6man-uri-zoneid-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2012 07:50:30 -0000

Thanks Radia.

The WG reached consensus on a SHOULD-based version. The whole issue
of browser behaviour is contentious, so changing to MUST would be
a WG issue, above my pay grade as a document editor. I will wait
for instructions.

Thnaks for the readability comments, we can work those in.

Regards
   Brian

On 23/11/2012 06:29, Radia Perlman wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> This document provides syntax for specifying a port within a URI for an
> IPv6 link-local address.
> I find no security-specific issues with this draft, but I do think the
> clarity of the draft
> could be improved a lot, and also, I think that the draft allows options of
> what is or is not allowed,
> which could cause confusion for a human using this, since some strings will
> work sometimes.  I think it would
> be better to lock down what is and is not allowed.
> 
> I'm not fond of the term "zone identifier" (I had to do some Internet
> searching to figure out what it was). It would
> only take a sentence to explain it in this draft.  Admittedly, not many
> people will be reading this draft out of
> context (like me).
> 
> An example of where the wording is needlessly hard to read, and where I
> think the rule should be a MUST:
> 
> " A <zone_id> SHOULD contain only ASCII characters classified
>    in RFC 3986 <http://tools.ietf.org/html/rfc3986> as "unreserved", which
> conveniently excludes "]" in order
>    to simplify parsing."
> 
> That wording could mean that ] is reserved or it could mean that it is not
> reserved.
> Turns out (by referring to RFC 3986) "]" is actually reserved.
> And also, with my preference for specifying mandatory behavior rather than
> recommendation...
> perhaps saying something like
> 
> " A <zone_id> MUST NOT contain ASCII characters classified
>    in RFC 3986 <http://tools.ietf.org/html/rfc3986> as "reserved".  The
> character  "]" is reserved, so MUST NOT
>   be used in the zone ID.
> 
> 
> ---------
> Again,
>     "The rules in [RFC5952 <http://tools.ietf.org/html/rfc5952>] SHOULD be
> applied in producing URIs."
> Why not MUST be applied?
> 
> ----------
> "we recommend that URI parsers accept bare "%" signs...make it easy for a
> user to copy and
> paste a string..."
> 
> again, I'd think it would be better to specify what parsers MUST do, rather
> than saying some parsers
> can be more lenient, so that the same string will create the same behavior
> regardless of the implementation
> parsing it.
> 
> ---------
> similarly
> 
> "To limit this risk, implementations SHOULD NOT allow use of this
>    format except for well-defined usages such as sending to link local
>    addresses under prefix fe80::/10."
> 
> I'd think it would be better to say MUST NOT, and also, to specify what it
> should
> do if it receives such a thing.
> 
> Radia
>