Re: [secdir] secdir review of draft-ietf-precis-mappings-11

Takahiro Nemoto <t.nemo10@kmd.keio.ac.jp> Fri, 07 August 2015 02:14 UTC

Return-Path: <t.nemo10@kmd.keio.ac.jp>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C99AE1B3FF7; Thu, 6 Aug 2015 19:14:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.302
X-Spam-Level:
X-Spam-Status: No, score=-0.302 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1QIIjvu4OCBv; Thu, 6 Aug 2015 19:14:29 -0700 (PDT)
Received: from mail.kmd.keio.ac.jp (mail.kmd.keio.ac.jp [131.113.138.164]) by ietfa.amsl.com (Postfix) with ESMTP id 0A4A61B3FFB; Thu, 6 Aug 2015 19:14:29 -0700 (PDT)
Received: from [192.168.1.7] (p3154-ipbf1304funabasi.chiba.ocn.ne.jp [123.225.160.154]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kmd.keio.ac.jp (Postfix) with ESMTPSA id 38BDF7FC83; Fri, 7 Aug 2015 11:14:26 +0900 (JST) (envelope-from t.nemo10@kmd.keio.ac.jp)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
Content-Type: multipart/signed; boundary="Apple-Mail=_4AC5AD65-1038-48A5-A818-BC34AF897CCD"; protocol="application/pkcs7-signature"; micalg=sha1
From: Takahiro Nemoto <t.nemo10@kmd.keio.ac.jp>
X-Priority: 3 (Normal)
In-Reply-To: <1438668407.5754864@apps.rackspace.com>
Date: Fri, 7 Aug 2015 11:14:23 +0900
Message-Id: <FA60FC81-092D-4937-8833-E47F35F9DEC7@kmd.keio.ac.jp>
References: <1438668407.5754864@apps.rackspace.com>
To: "Scott G. Kelly" <scott@hyperthought.com>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/vMqefIQSO0i9YBS_P8xebrq_mAA>
X-Mailman-Approved-At: Fri, 07 Aug 2015 01:43:15 -0700
Cc: draft-ietf-precis-mappings.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-precis-mappings-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2015 02:14:31 -0000

Dear Mr. Scott:

Thank you for taking your time to review draft-ietf-precis-mappings-11.
We will add a reference to RFC7564 and modify the section 4 "Security Considerations" as following.

4.  Security Considerations

  Detailed security considerations for PRECIS strings are discussed 
  in the PRECIS framework specification [RFC7564].  This document 
  inherits the considerations as well.

  As with Mapping Characters for IDNA2008 [RFC5895], this document
  suggests creating mappings that might cause confusion for some users
  while alleviating confusion in other users.  Such confusion is not
  covered in any depth in this document.

Regards,

--
Takahiro Nemoto
t.nemo10@kmd.keio.ac.jp

> 2015/08/04 15:06、Scott G. Kelly <scott@hyperthought.com> のメール:
> 
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
> 
> The case and width mappings defined in the current PRECIS (Preparation, Enforcement, and Comparison of Internationalized Strings) framework do not handle other mappings (such as delimiter characters, special characters, and locale-dependent or context-dependent case). This short document aims to provide mapping guidelines for PRECIS profile designers.
> 
> I think this document is probably ready, but I would raise one question (below) for consideration of those more knowledgeable in this area.
> 
> I think the primary security issue with these mappings is that users may misinterpret them (e.g. see "IDN homograph attack" on wikipedia). The security considerations in this document says
> 
>   As with Mapping Characters for IDNA2008 [RFC5895], this document
>   suggests creating mappings that might cause confusion for some users
>   while alleviating confusion in other users.  Such confusion is not
>   covered in any depth in this document.
> 
> This seems a little terse, but it turns out that it matches the security considerations section of RFC5895 nearly word for word.
> 
> My question: should this also include a reference to the security considerations in RFC7564? I leave this to those who know more about 5895, 7564, and PRECIS.
> 
> --Scott
> 
>