ietf
[Top] [All Lists]

secdir review of draft-ietf-vcarddav-kind-app-00.txt

2011-10-20 05:04:53
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document defines a new value for the vCard kind property:
application. This value is to be used for vCards that represent
software applications.

The Security Considerations section of this document states:

   Use of vCards to represent software applications is not envisioned to
   introduce security considerations beyond those specified for vCards
   in general as described in [VCARD].

However, the Security Considerations section of [VCARD] doesn't
seem adequate to the task. It merely points out that vCards don't
have any security protections and therefore SHOULD be transported
over a secure mechanism such as S/MIME or PGP if security is a
concern. This advice may be adequate if the vCard is only used
to transmit contact information for a person but it's generally
not adequate when the vCard contains information about a software
application. For example, this draft suggests that the KEY property
can be used to convey a public key associated with an application.
What a weak way to convey a public key! Will the recipient be able
to determine whether the key is accurate? How might the key be
revoked if necessary? No provisions are made for this. Other vCard
properties such as URL may cause problems if malicious.

Without proper security protections, the application vCard kind
seems like a great tool for phishing and social engineering.
Attackers can forge an email apparently from a trusted party,
including an application vCard and instructions to click on it
to see something cool. A naive email client may easily decide
that clicking on an application vCard should run the application
referenced in the vCard or visit the URL in the vCard or whatever.

I suggest that the Security Considerations section of the draft
be updated to include specific warnings that the contents of an
application vCard should be considered untrustworthy and dangerous
unless they have been securely delivered from a trustworthy source.
Even then, there's a real possibility that the source may have
been compromised before the vCard was sent. So information
obtained from vCards should not be regarded as ipso facto
trustworthy. Software should not act on information contained
in a vCard unless there's a strong reason to believe it's
accurate. And the KEY property SHOULD NOT be used for an
application. Instead, more robust techniques for managing
software public keys should be used.

Thanks,

Steve

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>
  • secdir review of draft-ietf-vcarddav-kind-app-00.txt, Stephen Hanna <=