ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SECDIR review: draft-hammer-hostmeta

2010-07-16 09:18:16
from [Kurt Zeilenga] [Permanent Link] 
I have reviewed this document as part of the security directorate's ongoing 
effort to review all IETF documents being processed by the IESG.  These 
comments were written primarily for the benefit of the security area directors. 
 Document editors should treat these comments just like any other last call 
comments.

I have a number of security-related concerns with this specification.

First, I'm concerned by assumptions in the document that each of:
        http://example.com
        http://example.com:8080
        https://example.com
        https://example.com:8443

identify resources under the control of same entity.   It is fairly common to 
there to be multiple http/https services running on a single host, each service 
possibly operated by different entities as delegated by the "host" 
administrator.  I think it would be better (from a security perspective) to 
have "service"-level metadata, not "host" level meta data.  That is, make no 
assumption that the above URIs are under control of the same entity, or even if 
so, that it desirable to a single policy/metadata covering multiple services.

And I think it very important to always fetch the meta data from the service 
one is accessing.  The document calls for client to fetch 
https://example.com/.well-known/host-meta even when https://example.com:8443 is 
URI wants policy for.  

Even worse, the document calls for the client to, if the above fetch does not 
produce a "valid" hostmeta document, for the client to fetch 
http://example.com/.well-known/host-meta.  An attacker could easily cause 
https://example.com/.well-known/host-meta to fail to produce a "valid" hostmeta 
document, and serve its own hostmeta document in response to the client's 
http://example.com/.well-known/host-meta, without supplanting the 
https://example.com:8443 service.

The document fails to discuss such attacks.

I recommend reworking this document to provide service-level, not host-level, 
metadata.  In particular, the metadata document should always be retrieved 
through the service the client is interested in using, such as by fetching 
"/.well-known/metadata".

If the authors rather continue pursuing a "host-based" solution, the security 
considerations should include a discussion of the above issues.

Regards, Kurt
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • SECDIR review: draft-hammer-hostmeta, Kurt Zeilenga <=
Previous by Date:  RE: Historic Moment - Root zone of the Internet was just signedminutes ago!!!, Monique Morrow (mmorrow)
Next by Date:  Re: Fwd: Historic Moment - Root zone of the Internet was just signed minutes ago!!!, todd glassey
Previous by Thread:  Fwd: Historic Moment - Root zone of the Internet was just signed minutes ago!!!, Russ Housley
Next by Thread:  secdir review of draft-ietf-ipsecme-roadmap, Richard L. Barnes
Indexes:  [Date] [Thread] [Top] [All Lists]