Last Call Review of draft-ietf-webdav-bind-
review-ietf-webdav-bind-secdir-lc-kivinen-2009-06-05-00

Request Review of draft-ietf-webdav-bind
Requested rev. no specific revision (document currently at 27)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2009-05-28
Requested 2009-05-19
Authors Jim Whitehead, Jason Crawford, Geoffrey Clemm, Julian Reschke
Draft last updated 2009-06-05
Completed reviews Secdir Last Call review of -?? by Tero Kivinen
Assignment Reviewer Tero Kivinen 
State Completed
Review review-ietf-webdav-bind-secdir-lc-kivinen-2009-06-05
Review completed: 2009-06-05

Review
review-ietf-webdav-bind-secdir-lc-kivinen-2009-06-05

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document adds binding extensions to the WebDAV. Binding
extensions seem to be like hard links on unix file system i.e.
providing multiple bindings for same resource (and resource is freed
only when the last binding goes away).

Security considerations section refers to the "HTTP/1.1 and the WebDAV
Distributed Authoring Protocol specification" and says that all
security considerations of them also applies to this document, but it
does not give explicit references to the documents containing those
security considerations.

Bindings adds some new security concerns (privacy, loops, denial of
service etc.), and those issues seem to be adequately covered by the
security considerations section.

One of the things I am not sure if it is really applicable here, but
which is not covered by the security considerations section is that
bindings might confuse administrator about access permissions. I.e.
even when administrator revokes all change permissions from certain
collection (i.e the user cannot change the data any more), if that
collection has binding pointing to some other collection or resource
where user still has permissions, the user might still be able to
change resources in the first collection even when administrator
believes he already removed permissions.

I am not familiar enough with the WebDAV authorization model to know
if this kind of attacks are possible or not, i.e. I do not know if the
permissions are set per resource basis or for per collection or what.
-- 
kivinen at iki.fi