[secdir] SECDIR Review of Draft-ietf-salud-alert-info-urns-12
Matthew Lepinski <mlepinski.ietf@gmail.com> Sun, 11 May 2014 21:56 UTC
Return-Path: <mlepinski.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D5A31A0376; Sun, 11 May 2014 14:56:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajaau6KdD3Jt; Sun, 11 May 2014 14:56:17 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) by ietfa.amsl.com (Postfix) with ESMTP id C58CB1A0375; Sun, 11 May 2014 14:56:16 -0700 (PDT)
Received: by mail-wi0-f172.google.com with SMTP id hi2so3571662wib.17 for <multiple recipients>; Sun, 11 May 2014 14:56:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=OHrmio9z+vis4e9EFVf1X/JyEgltml1vq55mpMHogFs=; b=XneW+tje68pMQJxAwoJ14J322QX6S44W6KFuSfQFo9+KAKSuWLbwuR8KE7HH/IUKqq P6HHCsQvObPcc0YhW1dSAalxaM18E7eXi2fV0KpUtilOMXXPDCNbNh+FGPNC6BlEb6un 0lKjJg3CUL9O+4v0eaDSjwM9wNQGsAW56D4KDU/6L2n19jf5l3eotP900U/b3Mj8a6UD Nqw6bxAl8c86E+ynaKH2My7yJJlrl0/MeJEn1Kk7Ct2sfd7GSOyDp0eZ4ZBVshma8h03 fuun//4AOj0Ctfb3ReN+AR/AgE0ccfiM+wH8PDIVUB2eFsgtgeeKRuZdLYBAXJjllnbo OgqQ==
MIME-Version: 1.0
X-Received: by 10.180.75.110 with SMTP id b14mr12822500wiw.43.1399845370549; Sun, 11 May 2014 14:56:10 -0700 (PDT)
Received: by 10.216.100.197 with HTTP; Sun, 11 May 2014 14:56:10 -0700 (PDT)
Date: Sun, 11 May 2014 17:56:10 -0400
Message-ID: <CANTg3aArOMXaXdj3xeTB__C4AH6nWr3-dy7UKZyGmTZ0Ea9+Tg@mail.gmail.com>
From: Matthew Lepinski <mlepinski.ietf@gmail.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-radext-dtls.all@tools.ietf.org, draft-ietf-salud-alert-info-urns.all@ietf.org
Content-Type: multipart/alternative; boundary="f46d043be2280d5bc404f926e6ef"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/Y6R3DQpZAMgwxp82_NDO2-Dugu0
Subject: [secdir] SECDIR Review of Draft-ietf-salud-alert-info-urns-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 May 2014 21:56:20 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The base Sip specification (RFC 3261) includes an Alert-Info header field that may reference an audio file to be rendered to the user as a ring tone or ringback tone. Draft-ietf-salud-alert-info-urns updates RFC 3261 to allow the Alert-info feel to include a URN that indicates the type of ring tone or ringback tone that is appropriate for the current call, and then the user agent can use this URN to select an appropriate alert to render to the user (e.g., based on the capabilities of user's device and the user's preferences). >From a security point of view, the mechanism specified in this document is very desirable, since it eliminates the potential security concerns associated with a request to fetch and render an arbitrary audio file provided by a (potentially untrusted) remote system. This document is generally ready for publication. I agree with the authors that specified usage of the new alert URN namespace does not raise significant new security concerns. However, I have one minor concern about the security considerations text, which I discuss below. The authors correctly note that the use particular alert indicators (that might reasonably be provisioned within this namespace) may introduce privacy concerns. For example, the alert-info value might reasonably include information about the calling party, the calling party's location (e.g., local vs international) or the calling party's device. (Note that in many cases there will be as much or more information about the calling party in other SIP headers, but it is definitely worth noting that this is a header field where privacy-relevant information may reside.) Therefore, the security considerations text goes on to say "Such provision SHALL always be explicitly authorized by the party (caller or callee) the information in the 'alert' URN refers to." I find the above text somewhat confusing, and I would appreciate it the authors could add a bit of text to clarify what they mean. Does this sentence mean that if I am implementing a User-Agent that I MUST NOT include any URN in the alert-info field without an explicit authorization from the user? Or perhaps it means that certain categories of alert URNs (the privacy-relevant ones) MUST NOT be included in the alert-info field without an explicit authorization from the user? (If this is the case, then obviously a bit of guidance is needed with regards to which types of alert URNs require explicit user authorization). Furthermore, I believe that the above sentence means that if I am implementing a proxy that I MUST NOT add any alert URN to an outgoing (or incoming) call without explicit authorization from the user. (Or again, perhaps it only means certain privacy-relevant alert URNs). I think this paragraph would be more clear if there were separate normative statement for the behavior of proxies and user agents. That is, for these type of privacy considerations, I think it is very helpful to be very clear/explicit about what information various entities are allowed to put into this header field (without authorization from the user). As I final note, it might be reasonable to add a sentence that reminds implementers that due to the potential privacy implications of the alert-info header field that when this header is included (or perhaps when certain categories of alert URNs are placed in this header field), the SIP message SHOULD be protected via TLS. However, I understand that: (1) There are a number of practical impediments to the use of TLS to protect SIP traffic; and (2) Given the privacy-relevant information that is likely contained in other SIP headers, the recommendation to use TLS is in now ways specific to the presence of the alert-info field. Therefore, although I think a reminder to use TLS when possible might be appropriate, I can understand why the authors might reasonably chose to leave out such text.
- [secdir] SECDIR Review of Draft-ietf-salud-alert-… Matthew Lepinski