[secdir] Secdir review of draft-op3ft-leaptofrogans-uri-scheme-03

Magnus Nyström <magnusn@gmail.com> Fri, 16 November 2018 08:48 UTC

Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18C1112D4F2; Fri, 16 Nov 2018 00:48:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id flfoVDu1krnD; Fri, 16 Nov 2018 00:48:24 -0800 (PST)
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24CF6124D68; Fri, 16 Nov 2018 00:48:24 -0800 (PST)
Received: by mail-pg1-x52c.google.com with SMTP id z10so10310592pgp.7; Fri, 16 Nov 2018 00:48:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=/O+UNyL4EL6NRBBpQItQa0ac22Vj0KpFq/6tvjWTrpc=; b=dENCqoSa+759+DLnqcBnVo3hl9nOKuSXniRoqabbvbejzjou10Jk/HoLbh6k3oOnQj A/wzpR/bc1Wii6AcQG7wM+hOmpPxKmJcGxJ1G0P40flfcKJ/uKsY2dV/G589RbVVRtLr 5TOEdL/fyb4WdUFubR1rSkPTGQA/0w2TmyVHB0UPeQUniMIje3sk00I3ltDMR+Rl8i/F lQcjxj0/9+WiESP+hfBJVhEPihs1AkXnbfb8P/WPrMqzZobdMEPvd7WKuVXBgQG/BDrt bIRyhqzJeAWaB/7cIlo2j4aC8XcaHe3VtxbrErSP60xYKAWubWK9DHfyvOG2z176DJIE eHYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=/O+UNyL4EL6NRBBpQItQa0ac22Vj0KpFq/6tvjWTrpc=; b=RdIcQsC85yvOpLLSRQ09WSBgChsixxWzvt9KY2TC6yd+L9SWTDPKCG5d76uuHrZECT mgFX0tWzwR2ZQlnsF9UFvjQ4QuSqVo/OJzCMtqED5PhD1AihgTDS4X1SWkNngpqoVc38 sm4gU+v1j1lLplMCIAdGtzPdRkQ5OZ08OzVVfExv3hEj7+TbLvEfJpd5P3297vIDdzcp FmENvnEHgV7Ak+pBpJSe7FwgppFNPk0NCc3PeHK7/zlPJebMYui+sxdPK+3tSC5AXhP6 BgzKf5xQ1GZjXy16NgUaBmWsfu611PZ5pJ9LRkO5LX2no229K+mkyMUxl8uOVq7masjD Qisw==
X-Gm-Message-State: AGRZ1gKP44fftw/xw5G+CbCj0jpJVyjuUODh4n6EPXXKriDEoJ9dqdL4 S3gE4iAHWODWZvyvsYh/dQwOwT94VJj6SxiPCNmKH86t
X-Google-Smtp-Source: AJdET5dj427sEPgXfGpkuMW3orDwHM4pY7Fannh5K1Tux6o3cLxtGWjpXzrCoJawUKu6J9mbuKORcgfXEI0kcqQGt2E=
X-Received: by 2002:a62:5003:: with SMTP id e3mr10444734pfb.23.1542358103176; Fri, 16 Nov 2018 00:48:23 -0800 (PST)
MIME-Version: 1.0
References: <CADajj4Y82CwZSNC0pEYimpx4MGfDTfMD_LCzX5-Vnr1foe3vJA@mail.gmail.com>
In-Reply-To: <CADajj4Y82CwZSNC0pEYimpx4MGfDTfMD_LCzX5-Vnr1foe3vJA@mail.gmail.com>
From: =?UTF-8?Q?Magnus_Nystr=C3=B6m?= <magnusn@gmail.com>
Date: Thu, 15 Nov 2018 22:47:49 -1000
Message-ID: <CADajj4YdKOsi+huevbbugSzvKRv8bm_iX=abK-jb+5ykb1nzgw@mail.gmail.com>
To: secdir@ietf.org, draft-op3ft-leaptofrogans-uri-scheme@ietf.org
Content-Type: multipart/alternative; boundary="000000000000db3be5057ac43a1e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/wu-Qq5EqatLlRWgh7R4LMX0RVKo>
Subject: [secdir] Secdir review of draft-op3ft-leaptofrogans-uri-scheme-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2018 08:48:26 -0000

 I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the  security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This document specifies the "leaptofrogans" URI scheme. Its security
considerations section provides a discussion of common URI risks and how
they apply to the frogans URIs. I do wonder a bit about the statement that
"[the] risk of confusion i[due to the true address being hidden in the link
text visible to the user] is mitigated because Frogans Player must always
display the real Frogans address contained in the URI" - does this
necessarily also apply to "inbound" direction cases - i.e., when a regular
browser displays a link which allows the user to launch a frogans site?

(Unrelated, the "leaptofrogans" name seems long. The scheme part of URIs is
typically the name of a protocol or similar. In the frogans case, "fsdl"
comes to mind as iI understand it to be the language used to create frogans
sites (I do not know what protocol is used to commuicate with such sites).)
Thanks,
-- Magnus