Re: [secdir] secdir review of draft-ietf-calext-extensions-03

Cyrus Daboo <cyrus@daboo.name> Wed, 22 June 2016 17:07 UTC

Return-Path: <cyrus@daboo.name>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AB3512D191; Wed, 22 Jun 2016 10:07:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.328
X-Spam-Level:
X-Spam-Status: No, score=-3.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9CCnKHuMa2w; Wed, 22 Jun 2016 10:07:24 -0700 (PDT)
Received: from daboo.name (daboo.name [173.13.55.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E95D12D129; Wed, 22 Jun 2016 10:07:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by daboo.name (Postfix) with ESMTP id CB59F46384E7; Wed, 22 Jun 2016 13:07:23 -0400 (EDT)
X-Virus-Scanned: amavisd-new at example.com
Received: from daboo.name ([127.0.0.1]) by localhost (daboo.name [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wiSAoHWx6Txj; Wed, 22 Jun 2016 13:07:23 -0400 (EDT)
Received: from [17.168.87.230] (unknown [17.44.178.123]) by daboo.name (Postfix) with ESMTPSA id 68A9246384DB; Wed, 22 Jun 2016 13:07:22 -0400 (EDT)
Date: Wed, 22 Jun 2016 13:07:20 -0400
From: Cyrus Daboo <cyrus@daboo.name>
To: "Xialiang (Frank)" <frank.xialiang@huawei.com>, "'iesg@ietf.org'" <iesg@ietf.org>, "'secdir@ietf.org'" <secdir@ietf.org>, draft-ietf-calext-extensions.all@tools.ietf.org
Message-ID: <0590CB0E84F8E00754D99FE2@cyrus.local>
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12AF5D0BA@SZXEMA502-MBS.china.huawei.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12AF5D0BA@SZXEMA502-MBS.china.huawei.com>
X-Mailer: Mulberry/4.1.0b1 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; size=2211
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/x93dje_cM_PR6A29nPytWOsUee4>
Subject: Re: [secdir] secdir review of draft-ietf-calext-extensions-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2016 17:07:26 -0000

Hi Xialiang,
Thank you for your review. Fixes described below have been made to my 
working copy and will be included in the next published draft.

--On June 22, 2016 at 1:39:06 AM +0000 "Xialiang (Frank)" 
<frank.xialiang@huawei.com> wrote:

> Below is a series of my comments, nits for your consideration.
>
> comments:
> section 7
> 1. This section covers the possible new threats brought by new properties
> and parameters, but does not mention how to mitigate them explicitly.
> Could you consider this point?

I've added some additional text to my working copy to cover that.

> 2. The "Security Considerations" section
> of [RFC5545] describes the general security issues and its corresponding
> relation with the transport protocol. It's clear and comprehensive. As
> the extension draft to the iCalendar object specification, it's a good
> practice to mention that the security considerations in [RFC5545]
> continue to apply in this document.

I have added the follow text as the last paragraph of Security 
Considerations:

    Security considerations in [RFC5545], and [RFC5546] MUST also be
    adhered to.

I have also added a Privacy Considerations section with similar text.

Also, on further review there were a couple of addition items I felt needed 
to be added to these sections. In particular text about short 
REFRESH-INTERVALs being used to trigger denial of service attacks.

> section 5.2--5.6
> These sections specify the extensive properties, and don't follow the
> template in [RFC5545]. Would it be better to have some text for each
> extensive property to point out its original specification in [RFC5545]
> for easy understanding?

OK. I have added text in each of those sections providing a reference back 
to the section in RFC5545 where the original definitions reside.

> section 5.11
> The new property -- conference, is missed in the previous iCalendar
> components' definition in section 4;

Fixed.

> nits:
> Section 8.1
> The section number of [RFC5545] referenced here is wrong, it should be
> modified from 8.2.3 to 8.3.2;
>
> Section 8.2
> The section number of [RFC5545] referenced here is wrong, it should be
> modified from 8.2.4 to 8.3.3;

Fixed.

-- 
Cyrus Daboo