Re: [secdir] SECDIR review of draft-kyzivat-case-sensitive-abnf

Chris Lonvick <lonvick.ietf@gmail.com> Sat, 06 September 2014 17:38 UTC

Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8E1E1A06FC; Sat, 6 Sep 2014 10:38:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.3
X-Spam-Level: *
X-Spam-Status: No, score=1.3 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_41=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7pt2kzG5N_UV; Sat, 6 Sep 2014 10:38:17 -0700 (PDT)
Received: from mail-pa0-x22e.google.com (mail-pa0-x22e.google.com [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5FB31A0705; Sat, 6 Sep 2014 10:38:17 -0700 (PDT)
Received: by mail-pa0-f46.google.com with SMTP id eu11so24396028pac.19 for <multiple recipients>; Sat, 06 Sep 2014 10:38:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=TcRykyYTqZRn5V0NgJLpUrBZi2voEnummdF3y6KT1MQ=; b=qvHFUOeAALHFZPXshMl0BSk9O6Ri0ENB6AMUiJ+eO5YpUoirkUyrfyCiOff8I0kq+j nwbcF5vOWhkXpn39xpHp8sTI0FFPo8L9eoBSXWRUiomrlaP8eP8KXlhn6shJpQRf9pZS LktSlv0GES0cNVswQW51TpT7h0+FjF3iIoKzhqdNrLvNRD0zazBrE6TfTHSJ/1omRZLm FajQmuR/Yfj6IWn30uFHZa2SbrVAuw9KPy393TkoJ6UibVgWjX3eevWKuxduVkzWsELV T8Oc7KNc8BTutnl6Kh4vzThk9Z2xA+tscOCkiCxmpo0gAAvJbal4RN4KtYd1Zh8CRwC7 GuDg==
X-Received: by 10.66.65.130 with SMTP id x2mr31858790pas.79.1410025097481; Sat, 06 Sep 2014 10:38:17 -0700 (PDT)
Received: from [192.168.1.76] (172-3-137-150.lightspeed.sntcca.sbcglobal.net. [172.3.137.150]) by mx.google.com with ESMTPSA id gf5sm4775346pbc.89.2014.09.06.10.38.15 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 06 Sep 2014 10:38:16 -0700 (PDT)
Message-ID: <540B4686.2060305@gmail.com>
Date: Sat, 06 Sep 2014 10:38:14 -0700
From: Chris Lonvick <lonvick.ietf@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, iesg@ietf.org, secdir@ietf.org, draft-kyzivat-case-sensitive-abnf.all@tools.ietf.org
References: <540A3309.90802@gmail.com> <540B3271.5060502@alum.mit.edu>
In-Reply-To: <540B3271.5060502@alum.mit.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/yXG6An1X0OrdiuuZ0CrsBf5OjlI
Subject: Re: [secdir] SECDIR review of draft-kyzivat-case-sensitive-abnf
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Sep 2014 17:38:19 -0000

Hi Paul,

On 9/6/14, 9:12 AM, Paul Kyzivat wrote:
> Chris,
>
> Thanks for the comments.
>
> On 9/5/14 6:02 PM, Chris Lonvick wrote:
>> Hi,
>>
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the IESG.
>> These comments were written primarily for the benefit of the security
>> area directors. Document editors and WG chairs should treat these
>> comments just like any other last call comments.
>>
>> The abstract is:
>>
>>     This document extends the base definition of ABNF (Augmented Mackus-
>>     Naur Form) to include a way to specify ASCII string literals that 
>> are
>>     matched in a case-sensitive manner.
>>
>>
>> Overall, I don't like the statement in the Security Considerations
>> section, but it is consistent with all other documents related to
>> defining ABNF, and I can't find any noteworthy security issues anyway.
>>  From that, I have no objection to moving this document forward.
>
> As you can see, I just followed precedent since I wasn't doing 
> anything that would alter the security implications in any way.
>
> But I am open to suggestions for something better to say.

Nah, I like the consistency.  The only concern (very minor) that I have 
is about how older ABNF interpreters would react to seeing these new 
literals.  I don't think that they're mission critical in any way and 
the one that I tried (BAP) just gave me an error.
>
>> I did find some nits and have some suggestions for improving 
>> readability.
>>
>> 1 - "Mackus-Naur" is used in two places rather than "Backus-Naur".
>
> Yes. I don't know how that happened.
Kind'a funny - you're not the first to make that error.
http://publib.boulder.ibm.com/infocenter/wtelecom/v6r2m0/index.jsp?topic=/com.ibm.diameter.rf.doc/rf_rawinterface_r.html
>
>> 2 - The last sentence of section 2.1 is:
>>
>>     This mechanism has a clear readability
>>     disadvantage, with respect to using a literal text string with a
>>     prefix, and new the prefix mechanism is preferred.
>>
>>
>> Perhaps you meant:
>>     This mechanism of using a literal text string with a prefix has a 
>> clear
>>     readability disadvantage.  The prefix mechanism described in this
>>     specification can be much more easily read.
>
> No. "This mechanism" refers to "the way that has been used in the 
> past" (specify the individual characters numerically). How about:
>
> "The new way (using a literal text string with a prefix) has a clear 
> readability advantage over the old way."

Works for me.  See the response I sent to Barry.
>
>> 3 - This part of Section 2.1 may be cleared up some:
>>   ---vvv---
>>
>> If no prefix is present then the string is case-insensitive.
>>
>>     Hence:
>>
>>           rulename = %i"aBc"
>>
>>     and:
>>
>>           rulename = "abc"
>>
>>     will both match "abc", "Abc", "aBc", "abC", "ABc", "aBC", "AbC", and
>>     "ABC".
>>
>>
>>   ---^^^---
>>
>>   Suggested:
>>    ---vvv---
>>       To be consistent with current implementations of ABNF, having no
>>       prefix means that the string is case-insensitive, and is 
>> equivalent
>>       to having the "%i" prefix.
>
> This seems good, except for the use of "current". That doesn't age 
> well. I suggest replacing "current" with "prior".
>
Works for me as well.

Best regards,
Chris
>     Thanks,
>     Paul
>
>>     Hence:
>>
>>           rulename = %i"aBc"
>>
>>     and:
>>
>>           rulename = "abc"
>>
>>     are equivalent and both will match "abc", "Abc", "aBc", "abC", 
>> "ABc",
>>     "aBC", "AbC", and "ABC".
>> ---^^^---
>>
>> Best regards,
>> Chris
>>
>