Re: [secdir] SECDIR review of draft-kyzivat-case-sensitive-abnf

Paul Kyzivat <pkyzivat@alum.mit.edu> Wed, 10 September 2014 21:07 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D826B1A9143 for <secdir@ietfa.amsl.com>; Wed, 10 Sep 2014 14:07:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zhqcxv6yjgXC for <secdir@ietfa.amsl.com>; Wed, 10 Sep 2014 14:07:47 -0700 (PDT)
Received: from qmta13.westchester.pa.mail.comcast.net (qmta13.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:44:76:96:59:243]) by ietfa.amsl.com (Postfix) with ESMTP id 103011A9248 for <secdir@ietf.org>; Wed, 10 Sep 2014 14:07:45 -0700 (PDT)
Received: from omta03.westchester.pa.mail.comcast.net ([76.96.62.27]) by qmta13.westchester.pa.mail.comcast.net with comcast id pY341o0020bG4ec5DZ7lPk; Wed, 10 Sep 2014 21:07:45 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([50.138.229.151]) by omta03.westchester.pa.mail.comcast.net with comcast id pZ7k1o0073Ge9ey3PZ7kvT; Wed, 10 Sep 2014 21:07:45 +0000
Message-ID: <5410BDA0.7050305@alum.mit.edu>
Date: Wed, 10 Sep 2014 17:07:44 -0400
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Chris Lonvick <lonvick.ietf@gmail.com>, iesg@ietf.org, secdir@ietf.org, draft-kyzivat-case-sensitive-abnf.all@tools.ietf.org
References: <540A3309.90802@gmail.com>
In-Reply-To: <540A3309.90802@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1410383265; bh=wSj3tga9g9b07yroRWrQSBgMHYTKJEVMF4P3Q6pa5Qk=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=hQ/xBL4gHB7KDypPPwXjpwGfJdtbSk2C8p8ykvQ88wpayhDlyU+EZQCzSB5zqwxo8 SkAZ83ziFPM5wY1UPs3cBrnzHAZd60rrQRHrVVExkKcfDIQzxfykzWYP1TKYkzJrUn X71ibTvGRytslmlFE4pmbWnRsLzhAR1H0xM+K14Mt4zDupPEFCO1A5ZTv9qym9yYVx slQWrBav51M+7c3C5LuAfAfB3bIdA+f1ko4xh77ahaPuj5DizV/klvayE9pI/jBp9W Q9MWsbYVU0QqBHJIq4idQWA6MAA0ihIc97cO4L4hv93hPC1WpUM6iLoZBNyJx7iq0D 5OJPnTZ+B+Ukw==
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/v9iu-DwBiRjxrv44RC0xUz_s1ig
Subject: Re: [secdir] SECDIR review of draft-kyzivat-case-sensitive-abnf
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Sep 2014 21:07:49 -0000

Chris,

Based on discussions in this thread I've posted an -02 version that 
hopefully addresses all of your comments.

	Thanks,
	Paul

On 9/5/14 6:02 PM, Chris Lonvick wrote:
> Hi,
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security
> area directors. Document editors and WG chairs should treat these
> comments just like any other last call comments.
>
> The abstract is:
>
>     This document extends the base definition of ABNF (Augmented Mackus-
>     Naur Form) to include a way to specify ASCII string literals that are
>     matched in a case-sensitive manner.
>
>
> Overall, I don't like the statement in the Security Considerations
> section, but it is consistent with all other documents related to
> defining ABNF, and I can't find any noteworthy security issues anyway.
>  From that, I have no objection to moving this document forward.
>
> I did find some nits and have some suggestions for improving readability.
>
> 1 - "Mackus-Naur" is used in two places rather than "Backus-Naur".
>
> 2 - The last sentence of section 2.1 is:
>
>     This mechanism has a clear readability
>     disadvantage, with respect to using a literal text string with a
>     prefix, and new the prefix mechanism is preferred.
>
>
> Perhaps you meant:
>     This mechanism of using a literal text string with a prefix has a clear
>     readability disadvantage.  The prefix mechanism described in this
>     specification can be much more easily read.
>
>
> 3 - This part of Section 2.1 may be cleared up some:
>   ---vvv---
>
> If no prefix is present then the string is case-insensitive.
>
>     Hence:
>
>           rulename = %i"aBc"
>
>     and:
>
>           rulename = "abc"
>
>     will both match "abc", "Abc", "aBc", "abC", "ABc", "aBC", "AbC", and
>     "ABC".
>
>
>   ---^^^---
>
>   Suggested:
>    ---vvv---
>       To be consistent with current implementations of ABNF, having no
>       prefix means that the string is case-insensitive, and is equivalent
>       to having the "%i" prefix.
>
>     Hence:
>
>           rulename = %i"aBc"
>
>     and:
>
>           rulename = "abc"
>
>     are equivalent and both will match "abc", "Abc", "aBc", "abC", "ABc",
>     "aBC", "AbC", and "ABC".
> ---^^^---
>
> Best regards,
> Chris
>