IETF Logo Mail Archive

Re: [secdir] draft-ietf-geopriv-policy-uri-02

Richard Barnes <rbarnes@bbn.com> Sun, 30 October 2011 20:19 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E694721F867F; Sun, 30 Oct 2011 13:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D21xJY-2Igxm; Sun, 30 Oct 2011 13:19:44 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 51B3221F85AE; Sun, 30 Oct 2011 13:19:44 -0700 (PDT)
Received: from [128.89.254.112] (port=52600) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1RKbr4-0007Om-SY; Sun, 30 Oct 2011 16:19:43 -0400
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="us-ascii"
From: Richard Barnes <rbarnes@bbn.com>
In-Reply-To: <4EAD53ED.60802@hyperthought.com>
Date: Sun, 30 Oct 2011 21:19:40 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <EA2977ED-9021-4929-9341-F235C40C84D7@bbn.com>
References: <4EAD53ED.60802@hyperthought.com>
To: "Scott G. Kelly" <scott@hyperthought.com>
X-Mailer: Apple Mail (2.1251.1)
Cc: draft-ietf-geopriv-policy-uri.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] draft-ietf-geopriv-policy-uri-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2011 20:19:45 -0000

Hi Scott,

Thanks for the review.  Couple of comments inline.

> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
> 
> This review is a little late -- sorry for the delay. From the abstract, "This document extends the current location configuration protocols to provide hosts with a reference to the rules that are applied to a URI, so that the host can view or set these rules." Specifically, it allows the host to view, set, or change privacy rules associated with its location URIs.
> 
> The document is well-written, and contains a security considerations section that addresses associated protocol threats. That section references two "classes of risks": risk of unauthorized disclosure of the protected resource, and risk of disclosure of the policy information itself.
> 
> Why isn't unauthorized manipulation of the policy information also listed as a risk? Actually, the second paragraph of the security considerations addresses this, ("The mechanism also needs to ensure that only authorized entities are able to acquire or alter policy."), but subsequent text seems to indicate that if the policy URI is not kept secret, there are no further protections.

Since we're talking about access control policy here, the effect of "manipulation of the policy information" is precisely "unauthorized disclosure of the protected resource".  Does that clear thing sup?


> Am I missing something here, or is secrecy of the URI really the only protection against unauthorized policy manipulation? I have to admit that I have no experience with these protocols, and it may be that this is addressed elsewhere (or truly doesn't matter), but it does feel a bit off.


You're exactly right in that understanding.  The idea is that a policy URI is already controlling access control policy on something, so we didn't want to have access control policies for who can access policy URIs (turtles all the way down).  That's the reason for all the text about keeping the policy URI secret.

Thanks for the review,
--Richard

v2.23.0 | Report a Bug | By Email