Re: [secdir] Review of draft-reschke-rfc2231-in-http-10.txt
Julian Reschke <julian.reschke@greenbytes.de> Mon, 01 March 2010 17:33 UTC
Return-Path: <julian.reschke@greenbytes.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2531228C3CB; Mon, 1 Mar 2010 09:33:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2aV2PUj9ErQ; Mon, 1 Mar 2010 09:33:53 -0800 (PST)
Received: from donbot.greenbytes.de (mail.greenbytes.de [217.91.35.233]) by core3.amsl.com (Postfix) with ESMTP id 384E528C159; Mon, 1 Mar 2010 09:33:52 -0800 (PST)
Received: from [192.168.1.119] (unknown [192.168.1.119]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by donbot.greenbytes.de (Postfix) with ESMTPSA id 7A461C4CA91; Mon, 1 Mar 2010 18:33:51 +0100 (CET)
Message-ID: <4B8BFA7D.5010603@greenbytes.de>
Date: Mon, 01 Mar 2010 18:33:49 +0100
From: Julian Reschke <julian.reschke@greenbytes.de>
Organization: greenbytes GmbH
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060516 Thunderbird/1.5.0.4 Mnenhy/0.7.4.666
MIME-Version: 1.0
To: Tero Kivinen <kivinen@iki.fi>
References: <19335.45416.521059.570426@fireball.kivinen.iki.fi> <4B87D118.1090408@greenbytes.de> <19339.47272.515270.37133@fireball.kivinen.iki.fi>
In-Reply-To: <19339.47272.515270.37133@fireball.kivinen.iki.fi>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: httpbis-chairs@tools.ietf.org, Graham Klyne <GK@ninebynine.org>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Review of draft-reschke-rfc2231-in-http-10.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 17:33:55 -0000
On 01.03.2010 13:52, Tero Kivinen wrote:
> ...
> Yes, but the impact of them is different. For example it does not
> really matter if the filename parameters having different languages
> differ, but there might be parameters where this really matters.
>
> As this document does not define any exact parameters, it might be
> enough to comment something like that "This document specifies way to
> transport multiple language variants for parameters, and such use
> might allow spoofing attacks, where different language versions of the
> same parameters do not match. Whether this attack is useful as an
> attack depends on the parameter specified."
>
> This way the one writing documents specifying parameters allowing
> multiple languages and specifying some kind processing on them will
> think whether this attack affects them or not.
> ...
Ack.
I'm tracking this at
<http://greenbytes.de/tech/webdav/draft-reschke-rfc2231-in-http-latest.html#rfc.issue.multiple-inst-spoofing>.
For now I have modified the Sec Considerations to:
-- snip --
5. Security Considerations
The format described in this document makes it possible to transport
non-ASCII characters, and thus enables character "spoofing"
scenarios, in which a displayed value appears to be something other
than it is.
Furthermore, there are known attack scenarios relating to decoding
UTF-8.
See Section 10 of [RFC3629] for more information on both topics.
In addition, this document specifies a way to transport multiple
language variants for a single parameter, and such use might allow
spoofing attacks, where different language versions of the same
parameter are not equivalent. Whether this attack is useful as an
attack depends on the parameter specified.
-- snip --
Please let me know whether this works for you (and thanks for the
concrete proposal).
>> It would be really great if we had a document that summarized common
>> security considerations, so that "higher-level" specs could just point
>> to individual parts of these.
>
> Such document would probably be so long that it would not be that
> useful. I think listing exact security considerations specific for
> this document in the security considerations section is better,
> altough for background information pointing to another document (like
> RFC 3629) is enough.
Of course it would be long :-). But by giving it the right granularity
other specs could just refer to the proper part.
For instance, do we really want all HTTP related specs have *different*
security considerations about DNS spoofing, poisoning, XSS, etc? Maybe
something to be discussed in Anaheim (Alexey?).
> ...
Best regards, Julian
--
<green/>bytes GmbH, Hafenweg 16, D-48155 Münster, Germany
Amtsgericht Münster: HRB5782
- [secdir] Review of draft-reschke-rfc2231-in-http-… Tero Kivinen
- Re: [secdir] Review of draft-reschke-rfc2231-in-h… Julian Reschke
- Re: [secdir] Review of draft-reschke-rfc2231-in-h… Tero Kivinen
- Re: [secdir] Review of draft-reschke-rfc2231-in-h… Julian Reschke
- Re: [secdir] Review of draft-reschke-rfc2231-in-h… Graham Klyne
- Re: [secdir] Review of draft-reschke-rfc2231-in-h… Tero Kivinen