Re: [secdir] Secdir review of draft-ietf-appsawg-acct-uri-03

Peter Saint-Andre <> Wed, 27 March 2013 01:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 29DEA21F86EF; Tue, 26 Mar 2013 18:59:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9oPjuJ0k2-IJ; Tue, 26 Mar 2013 18:59:47 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9A56221F8555; Tue, 26 Mar 2013 18:59:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2450; q=dns/txt; s=iport; t=1364349587; x=1365559187; h=cc:message-id:from:to:in-reply-to: content-transfer-encoding:mime-version:subject:date: references; bh=yBFGEAkn8ccgl4mGfLvpO38MsMqnHMma4HRWGe14gbs=; b=AP2OrLtpHQF/VrJLMxdGJZ3T6vjOCaB6Nb2czE+Fxo4RadbQnjWZQojf seS4rIJiX+CBjDcb+d3qPgo8pmaKKwAraMsE6DMeGxawBkoa6lYP0jV4d nU83U2VNCOnwH9SqT2rIWPmBUslM5SpInct/MOGnDqR41cgt2QY8T5TuJ g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.84,915,1355097600"; d="scan'208";a="76817562"
Received: from ([]) by with ESMTP; 27 Mar 2013 01:59:47 +0000
Received: from [] ( []) by (8.14.5/8.14.5) with ESMTP id r2R1xj6i025137; Wed, 27 Mar 2013 01:59:46 GMT
Message-Id: <>
From: Peter Saint-Andre <>
To: Charlie Kaufman <>
In-Reply-To: <>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Tue, 26 Mar 2013 19:59:45 -0600
References: <>
X-Mailer: Apple Mail (2.936)
X-Mailman-Approved-At: Wed, 27 Mar 2013 01:09:14 -0700
Cc: "" <>, "" <>, "" <>
Subject: Re: [secdir] Secdir review of draft-ietf-appsawg-acct-uri-03
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Mar 2013 01:59:48 -0000

On Feb 27, 2013, at 12:10 PM, Charlie Kaufman wrote:

> I have reviewed this document as part of the security directorate's  
> ongoing effort to review all IETF documents being processed by the  
> IESG.  These comments were written primarily for the benefit of the  
> security area directors. Document editors and WG chairs should treat  
> these comments just like any other last call comments.
> The fact that this document only defines a syntax and does not  
> define uses for it implies that the security implications are minimal.
> This document specifies a new URI format for specifying names of  
> accounts. The syntax looks like:
> The chosen syntax is apparently already proposed for use in the  
> WebFinger protocol in a separate I-D and one could imagine lots of  
> other uses. This draft does not specify any semantics associated  
> with the account specification or any means of contacting the  
> entity, though it will likely be a common practice to have the value  
> be usable as an email address to reach the named entity. This draft  
> specifies that any protocols using this new URI format must specify  
> the associated semantics. The Security Considerations notes this and  
> says that therefore any security considerations must therefore be  
> described by the protocol using this syntax.
> My only quibble is that the spec does not specify any algorithm by  
> which two acct URIs can be compared for equality. Perhaps the world  
> has evolved to the point where everyone accepts that as being  
> impossible. The part after the @ is a DNS host, subject to IDN  
> rules, while the part before may contain many ASCII characters and %- 
> encoded UTF8. I believe that makes this different from what is  
> allowed in the name portion of an email address in many subtle  
> cases. Case-blind comparisons are probably intended but are not  
> specified. Having an "almost canonical" way to specify an account  
> identifier has the potential of introducing security problems, but  
> they may be unavoidable.

Charlie, thank you for the review and my apologies for the delay in  
replying. Stephen Farrell has raised the same issue about comparison  
in his IESG review of this specification, and I will work to address  
that issue. Would you and the secdir like to be cc'd on the text that  
results from that discussion?