Re: [secdir] Security review of draft-hodges-webauthn-registries-05

Mike Jones <Michael.Jones@microsoft.com> Thu, 14 May 2020 18:34 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2B1F3A0C3D; Thu, 14 May 2020 11:34:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.273
X-Spam-Level:
X-Spam-Status: No, score=-2.273 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qErZj-5T_2mH; Thu, 14 May 2020 11:34:15 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650095.outbound.protection.outlook.com [40.107.65.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A090D3A0C31; Thu, 14 May 2020 11:34:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iF7WnKhVOhjSxnH8pg32QTLMWEsa6neG3ouLBJZykmFOBcaddoRyKgVhQFBzUixHk5bTzdlzBn1IAu3lY3B/wql9MzrMoMAIQhS3Sgvtj1IA6YUFmlFNol1ueAJh9XnpgsmANHaPa8d7N4D4UCUrtlWCqaJS4FAbRKSFVTYNhLeCuGaDTnXZpcPunLzujMNcaHmmJ76aQOQEzQrf3VSuQsYuiDAbw7WgGihZlXgsZ0zmmUyf202oCIKqAQxB53jz+WvJAzMD89p0P2Y2zdMT73PeSdiEvdW2EeYYyY4wLrsGDhbEO5V7Jjv12y44CSZ8bNKWcneLF70zdFax7ToP0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Qw+S3zuiA2CEJRGwyl3MZ4zMGKY9M1R4ic3vQMsCcz4=; b=OfX8Yuuz62BfhN7PZMZSSY9LsF/7Ot24EMesOiJnQha5nVvaeaQ0uGfhCBIOyFj1Fkae8JL00c711ZqpJ/awQGDw37y26WagJmOQpOgCmJGF8mHPsqbiHdd38/eOQdxAHa6Qw6HiFYl1V97ozXT39beb+W+jKYifl8dKTvCEqGS5xtfqvuewsdPm5q2C/igB7Kf+kysEU1dEiFzyuqvN8871JSTJbEk5hTzuBSnUZOmgvP2GO60pSwpGh/bdlNeNktrBhQ1N8s+BQYJx+arwbGvAanBAGxtge2nu5vYD9Z0OJZC9X/F/9fF7UKhhwqvYOJrR5HYCU5WG4mpagc2DgQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Qw+S3zuiA2CEJRGwyl3MZ4zMGKY9M1R4ic3vQMsCcz4=; b=RR+dgoJX7EJgatTvjIEOVu0YnaNr72uctzq91GvHd6MeFJ0s5anChYCzvPdGlQM+L5GvNsExY0/YRbKmQH7TWSI6Hf1XCinGmmSrLcIfJw7CFVhCwepa9X0Yf2itHApa0QBorBO9IJ485lmBeMwyufnRYjubnAmmiaDgoA76y4E=
Received: from MN2PR00MB0686.namprd00.prod.outlook.com (2603:10b6:208:15f::13) by MN2PR00MB0686.namprd00.prod.outlook.com (2603:10b6:208:15f::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3035.0; Thu, 14 May 2020 18:34:13 +0000
Received: from MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::68f6:b54c:8d5e:d283]) by MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::68f6:b54c:8d5e:d283%7]) with mapi id 15.20.3035.000; Thu, 14 May 2020 18:34:13 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hilarie Orman <hilarie@purplestreak.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "kaduk@mit.edu" <kaduk@mit.edu>, "draft-hodges-webauthn-registries.all@ietf.org" <draft-hodges-webauthn-registries.all@ietf.org>
Thread-Topic: Security review of draft-hodges-webauthn-registries-05
Thread-Index: AdYqHkFsG2+76g1QSy+zpmiy+F3B4w==
Date: Thu, 14 May 2020 18:34:13 +0000
Message-ID: <MN2PR00MB0686DD46C2E7EA5611233537F5BC0@MN2PR00MB0686.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d9907e1d-532c-4c51-9840-0000bbb0c4a2; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-05-14T18:32:36Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: purplestreak.com; dkim=none (message not signed) header.d=none;purplestreak.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 8c47fd1e-8a6e-4342-a909-08d7f83566c1
x-ms-traffictypediagnostic: MN2PR00MB0686:
x-microsoft-antispam-prvs: <MN2PR00MB0686220D5F218BF1A44938F5F5BC0@MN2PR00MB0686.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 040359335D
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AQLv0yISkZY6K9lrP611uDVbiRUtI78K2ezEysQYFYerXOkkqLGBy/BrBP5DjxNcctqUngIUHbJ/nTwS7tAYy58Qjk8uhN3GCvnKsKnLv4pKDcHfkyDmhhwmQtRahydea2ITDkuFiUiTwwGU/+AV+qrfQC1PpRBiJ1mPpOReLc9XTKPSF33MEfkfpQkagIkSqc3U3WpLK8abJ8mSbzV1kPN7y+w15zikDLw2zwW15BOhv0iz9a38UkP78GTFpQXWCcMG9Ed+lC7Fy50Zd6MHtCyYHJ6zFToFCTp/BBveGLDUILIo6xat5ArXiINKZQSCMtlnY0j6fG7VGXtVavrYpShNRiMTQXQaR7Vxh2bxfUUP9rq+1hsiDWNQvKorqLCGrsM+XNbOf8M6/L2go2lOaQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0686.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(136003)(39860400002)(346002)(376002)(366004)(66556008)(64756008)(186003)(66476007)(15650500001)(316002)(6916009)(9686003)(66946007)(8990500004)(66446008)(55016002)(5660300002)(71200400001)(4326008)(8936002)(33656002)(2906002)(478600001)(10290500003)(54906003)(8676002)(52536014)(82950400001)(966005)(26005)(86362001)(82960400001)(6506007)(53546011)(7696005)(76116006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: oU6HpGkS2u+akf9LhyyBHxYAXVsbdW4gbYcj9S5bZlbUCvS3oLCMje7D/ToGWr3YF8B5QM9Qe6H7a+2MriNPe96O0EBVAZVx5Uj3SVffgjLi06NInlhqH7IurPb9zdAMvAokefCjT2mAC38VVE/EPORwSXLVl5JzzRAPXOpjcdxE+qrvc6eqC02vFSaJGEoZRdmIABFNwMdkx507OlxnJP6eRroZcq+VjfTkzRAD7xiRWDckhzktwkDJq/RaN80d6lcyR34cuf4ybgDMgIdU93459cfN+ELY/CQ1+BXZ4DtbodWW/pwctEhshSQXT5yQeWzVYRdcK9v4R+I7AavrzBKnqvDa3St+/wXXTYApEFI3KS2xYo10jnBIyto7iInkgxmbrycMWdw8VZOkGdVbPLjUVlwnbCsYAjZDIn4l2msTxyYqOi2UkFGwNSxGdRrNDi63zBtQaPi2I0c3gOks8o8BRhB+R6nS1NMje2KaNKQ=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0686.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8c47fd1e-8a6e-4342-a909-08d7f83566c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 May 2020 18:34:13.6271 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wGLqIy7TkiUTjZKVERA9/DHMgzq8b77T2nbltQYBV0OwmxXZqjsf8XFrBpphjm7Z0Ijo8DO87A4BkvxjSZAFpw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0686
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/gUYSVUexSswNmQGBZtcrcfQTMq4>
Subject: Re: [secdir] Security review of draft-hodges-webauthn-registries-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 18:34:18 -0000

Oh, I see what you mean now.  I didn't realize that the tool wouldn't coalesce multiple instances of the same URI to a single reference.  I'll do something to eliminate the duplication now.

				Thanks again,
				-- Mike

-----Original Message-----
From: Hilarie Orman <hilarie@purplestreak.com> 
Sent: Thursday, May 14, 2020 10:23 AM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: secdir@ietf.org; iesg@ietf.org; kaduk@mit.edu; draft-hodges-webauthn-registries.all@ietf.org
Subject: RE: Security review of draft-hodges-webauthn-registries-05

The only nit, then, is that the URI was listed twice in section 6.2.  It is listed in entry 6 and entry 9.

Hilarie

>  Thanks for the review, Hilarie.  My replies are inline below, prefixed by "Mike>".

>  -----Original Message-----
>  From: Hilarie Orman <hilarie@purplestreak.com>
>  Sent: Monday, April 27, 2020 9:42 PM
>  To: iesg@ietf.org; secdir@ietf.org
>  Cc: draft-hodges-webauthn-registries.all@ietf.org
>  Subject: Security review of draft-hodges-webauthn-registries-05

>	  Security review of Registries for Web Authentication
>		  draft-hodges-webauthn-registries-05

>  Do not be alarmed.  I generated this review of this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts.  Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

>  This document establishes two registries required for the W3C Web Authentication system.  The registries are for the WebAuthn Attestation Statement Format Identifier and the WebAuthn Extension Identifier.

>  When submitted, these entries must be approved by an "expert" based on the specification that defines the parameters of the entry.  This includes "security considerations", which is good.  I don't quite see how submission of a request for a new entry gets routed to an expert, how experts come into being, etc., but I suppose that is a W3C procedure.

>  A couple of nits.

>  This url is listed twice in the URIs:
>  https://www.iana.org/assignments/webauthn
>  but it does not exist.  I expected at least a TBD message, unless the address itself is a placeholder.

>  Mike> The draft includes this TBD text "[[ Per discussions in an email thread between the authors and IANA ( "[IANA #1154148]" ), it is requested that the registries be located at <https://www.iana.org/assignments/webauthn>. RFC Editor - please delete this request after the registries have been created. ]]" before the two occurrences that you cite.

>  In 2.1
>  "The Experts(s) MAY also designate attestation
>     statement formats as proprietary if they lack complete
>     specifications, and will assign a prefix indicating as such to the
>     identifier."  
>  It is not clear what the format of that prefix is or how indicates "as such".  Is that an indication that it is proprietary or (and?) that it is incomplete?

>  Mike>  The text you cited is unnecessary for the purposes of the specification and will be deleted.

>  Hilarie

>  Mike> You can see proposed updated source for -06 at https://github.com/w3c/webauthn/pull/1415 .

>				   Thanks again,
>				   -- Mike