Last Call Review of draft-ietf-weirds-using-http-07
review-ietf-weirds-using-http-07-secdir-lc-murphy-2013-08-16-00
| Request | Review of | draft-ietf-weirds-using-http |
|---|---|---|
| Requested rev. | no specific revision (document currently at 15) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2013-08-13 | |
| Requested | 2013-07-18 | |
| Authors | Andrew Newton, Byron Ellacott, Ning Kong | |
| Draft last updated | 2013-08-16 | |
| Completed reviews |
Genart Last Call review of -07 by Joel Halpern
(diff)
Genart Last Call review of -13 by Joel Halpern (diff) Secdir Last Call review of -07 by Sandra Murphy (diff) |
|
| Assignment | Reviewer | Sandra Murphy |
| State | Completed | |
| Review | review-ietf-weirds-using-http-07-secdir-lc-murphy-2013-08-16 | |
| Reviewed rev. | 07 (document currently at 15) | |
| Review result | Has Issues | |
| Review completed: | 2013-08-16 |
Review
review-ietf-weirds-using-http-07-secdir-lc-murphy-2013-08-16
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Overall concerns: This draft in the first sentence portrays itself as one of a collection of documents that describe the RDAP protocol. But no other documents are referenced or cited. Reviewing all the other drafts in the weirds wg, I believe that the weirds working group considers the following three drafts to be the definition of the RDAP protocol: draft-ietf-weirds-rdap-query draft-ietf-weirds-json-response draft-ietf-weirds-using-http I would add draft-ietf-weirds-rdap-sec to the list, as it is also standards track and states requirements for behavior. But I do not know if the weirds wg considers the recommendations in the rdap-sec draft to be mandatory for all RDAP implementations to implement. The security considerations section provides little in the way of discussion of the security considerations for the RDAP protocol. It refers to discussions of protections against denial of service (rate limiting) and reuse of existing http security mechanisms (cross-site resource sharing, I think). Other than that, it says Additional security considerations to the RDAP protocol will be covered in future RFCs documenting specific security mechanisms and schemes. Since there are obvious possible security considerations (client and server authentcation, authorization, integrity, confidentiality in the server responses at least, etc.), this is weak. Luckily, draft-ietf-weirds-rdap-sec provides a discussion of many of those considerations and others as well, and mechanisms to provide those security services. I am puzzled why the authors did not cite that draft - is there some doubt that the rdap-sec draft will progress? Without such a reference, this section is inadequate. [The rdap-sec draft is very thorough, but I have a few questions I might ask about some of the recommendations - if I were reviewing that draft. But I'm not. So I won't pose them here.] section 5.6 When responding to queries, it is RECOMMENDED that servers use the Access-Control-Allow-Origin header field, as specified by [W3C.CR-cors-20130129]. I have about 10 minutes of knowledge of this header field, but I can not envision a case where cross origin resource sharing might be needed, or whether the access-control-allow-origin header is sufficiently secure for those cases. Someone who understands that area should confirm that this is reasonable and adequate. The draft contains language that might be interpreted to be normative, usually in the form "client(server) <doessomeaction>". Maybe that would always be interpreted to be "MUST", but in some cases later text makes it appear that MAY or SHOULD is intended. Particularly section 4.1, 5.2, and 5.5. =================================== Specific comments: --------- Collecting a few comments about the posiiton of this draft wrt RDAP: Section 1 says This document is one of a collection that together describe the Registration Data Access Protocol (RDAP). It describes how RDAP is transported using the Hypertext Transfer Protocol (HTTP). In section 2 it says RDAP query and response formats are described in other documents in the collection of RDAP specifications, while this document describes how RDAP clients and servers use HTTP to exchange queries and responses. The other parts of the "collection" are left to the reader to discover. There are no related drafts listed in the reference section. Besides having pity on your poor reader, this leaves the position of this draft somewhat unclear. The text about "how RDAP is transported using ...(HTTP)" makes it sound like HTTP is a transport protocol, not a fundamental component of the RDAP protocol. (REST is not limited to HTTP, if you can believe the web.) If the queries and responses in the two other drafts were carried in a different transport protocol, would that communication still be RDAP? It would be helpful if that was clear. The rdap-query draft contains references to the behavior in this draft, so I have decided to believe that this document is a fundamental part of the RDAP protocol. And in section 3 it says: In this document, only a JSON [RFC4627] response media type is noted, with the response contents to be described separately. This document only describes how RDAP is transported using HTTP with this format. This could be read to mean that other documents might describe how RDAP is transported using something other than HTTP, but I'm presuming it means that this document describes how RDAP is transported in HTTP only with the JSON media type, no other media types are described. --------- Going through the sections: Section 1 says: The purpose of this document is to clarify the use of standard HTTP mechanisms for this application. The rdap-query document section 2 says: WHOIS services, in general, are read-only services. Therefore URL [RFC3986] patterns specified in this document are only applicable to the HTTP [RFC2616] GET and HEAD methods. If only HTTP GET and HEAD methods are allowed in the client, should that not be mentioned in this document? Aren't they part of the "standard HTTP mechanisms for this application"? (It would ahve been really helpful to know that restriction the first read through this document.) Section 1, page 3 A replacement protocol is expected to retain the simple transactional nature of WHOIS, while providing a specification for queries and responses, Not sure - isn't this document (a component of) the "replacement protocol"? So do you mean "RDAP retains...."? section 2 In accordance with [SAC-051], this document describes the base behavior for a Registration Data Access Protocol (RDAP). Another point of uncertainty about the position of this document wrt RDAP (part of the RDAP spec or not). But at any rate, this document does not describe the base behavior. Unless by "base behavior" you mean the "HTTP behavior". Section 3 There are a few design criteria this document attempts to meet. Did it succeed? For example, I don't see anything in this document that mandates that there is a bound on the maximum number of results to a query as mentioned below: First, each query is meant to return either zero or one result. With the maximum upper bound being set to one I'm not even sure this is answered in the json-response draft, as it seems to be concentrating on the data format of the response, not the specification of what responses or how many responses are included in a reply to what queries (no sort of state machine sort of description). Section 4.1 To indicate to servers that an RDAP response is desired, clients include an Accept: header field with an RDAP specific JSON media type, the generic JSON media type, or both. ... This specification does not define the responses a server returns to a request with any other media types in the Accept: header field, or with no Accept: header field. So it seems "clients include an Accept: header field ..." is not a MUST. MAY? SHOULD? To indicate to servers that an RDAP response is desired, clients include an Accept: header field with an RDAP specific JSON media type, the generic JSON media type, or both. Servers receiving an RDAP request return an entity with a Content-Type: header containing the RDAP specific JSON media type. Is that a "MUST return"? If the servers always return a specific JSON media type, why do the clients indicate acceptance of a generic media type? section 5 This section describes the various types of responses a server may send to a client. I don't think you meant "MAY" in the 2119 sense. section 5.1 it returns that answer in the body of a 200 response. I think this is a MUST. section 5.2 query can be found elsewhere, it returns either a 301 response code ... indicate a non-permanent redirection, and it includes an HTTP(s) URL I think these are both MUST. in the Location: header field. The client is expected to issue a subsequent request to satisfy the original query using the given URL without any processing of the URL. In other words, the server is to hand back a complete URL and the client should not have to transform the URL to follow it. Is this a MUST issue or a MAY issue? Is that should not a SHOULD NOT? Or did you want to say that the server MUST provide a URL that could be used directly by the client in a subsequent request without requiring any transformation. [I have no clue what tranformations you might be trying to avoid. For my curiousity, can you provide an example?] For this application, such an example of a permanent move might be a Top Level Domain (TLD) operator informing a client the information being sought can be found with another TLD operator (i.e. a query for the domain bar in foo.example is found at http://foo.example/domain/ bar). such an example of a --> an example of such a I don't know why you emphasized that this example is TLD operators, because the foo.example domain names don't look like TLDs to me. If the example relies on the fact that the operators are TLDs, then the domain names chosen should reflect that. Unless I'm just completely misreading this. section 5.3 If a server wishes to respond that it has no information regarding the query, it returns a 404 response code. Optionally, it MAY include additional information regarding the negative answer in the HTTP entity body. I think you mean MUST return. If a server wishes to inform the client that information about the query is available, but cannot include the information in the response to the client for policy reasons, the server MUST respond with an appropriate response code out of HTTP's 4xx range. In the second paragraph, is the server allowed to choose a 404 response code? In the second paragraph, is the server allowed to return additional information about the refusal to return the information. (e.g., "I dould tell you but I'd have to shoot you") sectin 5.4 If a server receives a query which it cannot interpret as an RDAP query, it returns a 400 response code. I think you mean MUST return. Section 4 of rdap-query says Servers MUST return an appropriate failure status code for a request with an unrecognized path segment. Is that covered by "which it cannot interpret as an RDAP query" - that is, does this section provide the status code that would be appropriate? I think the section title of "malformed queries" suits all situations better than "cannot interpret as an RDAP query". in the rdap-query section 4 case, the server can interpret the query as an RDAP query, but the query parameter is malformed. section 5.5 abuses. When a server declines to answer a query due to rate limits, it returns a 429 response code as described in [RFC6585]. I think you mean MUST return. A client that receives a 429 response SHOULD decrease its query rate, and honor the Retry-After header field if one is present. So is it SHOULD honor, since it is SHOULD decrease? Or is it MUST honor? section 7 This document made recommendations for server implementations against makes denial-of-service (Section 5.5) and interoperability with existing security mechanism in HTTP clients (Section 5.6). mechanisms Section 5.6 is Cross-Origin Resource Sharing. Is that what you meant by "interoperability with existing security mechanism in HTTP clients"? As the Access-Control-Allow-Origin header field was developed as part of enabling secure cross-site data transfers, it seems appropriate to discuss the security considerations and usage scenarios. sectin 8 In accordance with RFC5226, the IANA policy for assigning new values shall be Specification Required: values and their meanings must be documented in an RFC or in some other permanent and readily available reference, in sufficient detail that interoperability between independent implementations is possible. This draft and the others are Standard track - why would extensions not also be standards track? I understand that the extensions are prefixes for JSON names and URL path segments, not extensions to the protocol. Are there other permanent sources outside the IETF that you envision developing a specification for an RDAP name/path segment extension? If you are proposing a new registry, there's a requirement of what must be included in this document in section 4.2 of rfc5226: 1) registry name 2) information that must be included in a request (this section does that) 3) review process: ordinarily Specification Required means there's a Designated Expert 4) "size, format, and syntax of registry entries" 5) "Initial assignments and reservations." The request format suggests that the request should include the "Registry operator". There's a conflation of the term "registry" here with the fact that the request is being made to an "IANA registry". "Registry operator" here I think means the operator of the registration data service to which an RDAP query could be made. 9.3 Given the description of the use of language identifiers in Section 9.2, unless otherwise specified servers SHOULD ignore the HTTP [RFC2616] Accept-Language header field when formulating HTTP entity responses, so that clients do not conflate the Accept-Language header with the 'lang' values in the entity body. (section 9.2 suggests that language identifiers, to be specified later, should be used to annotate responses.) This passage is confusing - the accept-language header is in the client's request, so the server ignoring it is not going to prevent the client from confusing that header with the 'lang' values in the (request?) entity body. (It is unfortunate that one query path segment type is called "entity" as in GET /entity/JoeDoe-Handle, but I'm pretty sure here it is talking about the http entity.) Appendix B The suggestion that caches can be avoided by inventing a random parameter with a random value to make the query look unique seems to be commonly used. To someone who has been in security for a long while, this looks like a huge (not-so-)covert channel. But I don't think that's a concern. --------- real wordsmithing comments section 1 The registration data expected to be presented by this service is Internet resource registration data - registration of domain names and Internet number resources. I think you mean "data associated with the registration of domain names and Internet number resources". I don't think you mean for RDAP to have anything to do with the registration process itself. Where complexity may reside, it is the goal of this document to place it upon the server and to keep the client as simple as possible. I think you mean "Where complexity may arise" or "may occur". section 7 protocol. However, it does not restrict against the use of security ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Strange choice of words. I think you mean it does not restrict the use. This document made recommendations for server implementations against denial-of-service (Section 5.5) and interoperability with existing security mechanism in HTTP clients (Section 5.6). "recommendations ... against denial of service" - an odd wording. I'd say "recommendations for use of rate limiting as a response to denial of service" --Sandy Murphy