Re: [Jcardcal] Stephen Farrell's Discuss on draft-ietf-jcardcal-jcard-05: (with DISCUSS and COMMENT)
Cyrus Daboo <cyrus@daboo.name> Thu, 18 July 2013 17:54 UTC
Return-Path: <cyrus@daboo.name>
X-Original-To: jcardcal@ietfa.amsl.com
Delivered-To: jcardcal@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B431311E819E; Thu, 18 Jul 2013 10:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNJBVKqrLYb5; Thu, 18 Jul 2013 10:54:53 -0700 (PDT)
Received: from daboo.name (daboo.name [173.13.55.49]) by ietfa.amsl.com (Postfix) with ESMTP id D9CD611E81C4; Thu, 18 Jul 2013 10:54:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by daboo.name (Postfix) with ESMTP id 2B6EF4775028; Thu, 18 Jul 2013 13:54:41 -0400 (EDT)
X-Virus-Scanned: amavisd-new at example.com
Received: from daboo.name ([127.0.0.1]) by localhost (daboo.name [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9GRSDNvXRo23; Thu, 18 Jul 2013 13:54:40 -0400 (EDT)
Received: from caldav.corp.apple.com (unknown [17.45.162.46]) by daboo.name (Postfix) with ESMTPSA id 6FD58477501C; Thu, 18 Jul 2013 13:54:38 -0400 (EDT)
Date: Thu, 18 Jul 2013 13:54:34 -0400
From: Cyrus Daboo <cyrus@daboo.name>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Message-ID: <533259592EFE6C6AB8016877@caldav.corp.apple.com>
In-Reply-To: <20130718003748.2045.65683.idtracker@ietfa.amsl.com>
References: <20130718003748.2045.65683.idtracker@ietfa.amsl.com>
X-Mailer: Mulberry/4.1.0a3 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; size="2132"
Cc: draft-ietf-jcardcal-jcard@tools.ietf.org, jcardcal-chairs@tools.ietf.org, jcardcal@ietf.org
Subject: Re: [Jcardcal] Stephen Farrell's Discuss on draft-ietf-jcardcal-jcard-05: (with DISCUSS and COMMENT)
X-BeenThere: jcardcal@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: JSON data formats for vCard and iCalendar WG <jcardcal.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jcardcal>, <mailto:jcardcal-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jcardcal>
List-Post: <mailto:jcardcal@ietf.org>
List-Help: <mailto:jcardcal-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jcardcal>, <mailto:jcardcal-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2013 17:55:00 -0000
Hi Stephen, --On July 17, 2013 at 5:37:48 PM -0700 Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > vCards can be used to represent unexpected stuff that > might have security issues, e.g. see RFC 6869. > Aren't you missing a security consideration here > along the lines of saying that a vCard->jCard > translator that knows the generic syntax but does not > know the sensitivity associated with various vCard > things is very very liable to get something wrong > leading to unexpectd exposures? I'm not sure what > text might work for that, nor am I sure if we can > really ensure that a vCard->jCard convertor (or > vice-versa) will really understand the security > issues with the translations they are doing. I am weighing in on this because it speaks to the original design goals for all the vCard/iCalendar alternate data formats (XML and JSON). These alternative formats have been designed purely as alternative "syntaxes" for the original data formats. They are not intended to have any impact on the semantics of the actual data itself. Thus these specs are primarily concerned with doing the translation between the data formats, and that in itself does not introduce security issues, nor should it - of course with the proviso that the "rules" defined int he spec are correctly followed. To address this point perhaps the following replacement for the first paragraph in Security Considerations would work (note this tries to fix some issues from the SecDir review too): This specification defines how vCard data can be "translated" between two different data formats - the original text format and JSON - with a one-to-one mapping to ensure all the semantic data in one format (properties, parameters and values) are preserved in the other. It does not change the semantic meaning of the underlying data itself, or impose or remove any security considerations that apply to the underlying data. As a result, all of the security considerations that relate to the underlying vCard data, as described in Section 9 of [RFC6350], are applicable here. -- Cyrus Daboo
- [Jcardcal] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [Jcardcal] Stephen Farrell's Discuss on draft… Cyrus Daboo
- Re: [Jcardcal] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [Jcardcal] Stephen Farrell's Discuss on draft… Cyrus Daboo
- Re: [Jcardcal] Stephen Farrell's Discuss on draft… Philipp Kewisch
- Re: [Jcardcal] Stephen Farrell's Discuss on draft… Cyrus Daboo