Last Call Review of draft-nottingham-rfc5988bis-05
review-nottingham-rfc5988bis-05-secdir-lc-dekok-2017-05-26-00

Request Review of draft-nottingham-rfc5988bis
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-05-26
Requested 2017-04-28
Authors Mark Nottingham
Draft last updated 2017-05-26
Completed reviews Genart Last Call review of -05 by Stewart Bryant (diff)
Opsdir Last Call review of -05 by Carlos Martínez (diff)
Secdir Last Call review of -05 by Alan DeKok (diff)
Genart Telechat review of -07 by Stewart Bryant (diff)
Assignment Reviewer Alan DeKok
State Completed
Review review-nottingham-rfc5988bis-05-secdir-lc-dekok-2017-05-26
Reviewed rev. 05 (document currently at 08)
Review result Has Nits
Review completed: 2017-05-26

Review
review-nottingham-rfc5988bis-05-secdir-lc-dekok-2017-05-26

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. 

This document describes a model for indicating relationship between resources on the web.  It largely describes concepts, with some "on the wire" specification.

This document is Ready with NITs

Section 2 says:

   ... the relative ordering of links in any
   particular serialisation, or between serialisations (e.g., the Link
   header field and in-content links) is not specified or significant in
   this specification; applications that wish to consider ordering
   significant can do so.

  I'm not sure about the impact of the last statement in that sentence.  If ordering is not significant, why would applications consider it to be significant?  What does that mean to the application, and how does that affect this standard?


Section 2 says:

  Finally, links are consumed by _link applications_.

NIT: I'm not sure what "consumed" means here. Perhaps "interpreted" would be better?


Section 2.1.1 says:

 Registered relation type names MUST conform to the reg-rel-type rule
   (see Section 3.3), and MUST be compared character-by-character in a
   case-insensitive fashion.  

Question: are there any restrictions on the encodings of the strings?  I.e. are they ASCII?  Or UTF-8?

  Having spent some time trying to to i18n in historical protocols, I'm wary of statements which require case-insensitive string matching with no further qualification.

  Similar comments apply to Section 2.1.2.


Section 2.1.1 says:

   ... This practice is NOT RECOMMENDED,
   because the resulting strings will not be considered equivalent to
   the registered relation types by other processors.

NIT: this is the only use of "processors" I can find in the document.  I suggest replacing it with a term used by the rest of the document.


Section 2.1.1.1 says:

   Registration requests consist of at least the following information:

   o  *Relation Name*: The name of the relation type

Question: is this an English name?  The "Description" field states that it is a "shot English description"

  Should the name generally be lowercase?  Uppercase?  Mixed case?

  If the name does not follow existing practices, can the Expert Review suggest changes?

  And for the string comparisons, is this ASCII?  UTF-8?  Some guidance would be appreciated.


Section 2.1.1.2 says:

   The goal of the registry is to reflect common use of links on the
   Internet.  Therefore, the Expert(s) SHOULD be strongly biased towards
   approving registrations, unless they are abusive, frivolous, not
   likely to be used on the Internet, or actively harmful to the
   Internet and/or the Web (not merely aesthetically displeasing, or
   architecturally dubious). 

Question: how are these determinations to be made?  Is there any guidance?

  How can a "Relation name" or "reference" be "abusive", or "actively harmful" ?


Section 5 says:

   The content of the Link header field is not secure, private or
   integrity-guaranteed, and due caution should be exercised when using
   it.  Use of Transport Layer Security (TLS) with HTTP ([RFC2818] and
   [RFC2817]) is currently the only end-to-end way to provide such
   protection.

Question: Is there guidance on what other applications should do with the links?

     Link applications ought to consider the attack vectors opened by
   automatically following, trusting, or otherwise using links gathered
   from HTTP headers.  In particular, Link header fields that use the
   "anchor" parameter to associate a link's context with another
   resource are to be treated with due caution.

Question: what is "due caution"?

  I'd also suggest that *parsing* links is a hard problem, as parsing is (in general) a source of many security issues.

  For examples, see: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/

  Where malicious subtitles can result in video players being compromised.

   The Link header field makes extensive use of IRIs and URIs.  See
   [RFC3987] for security considerations relating to IRIs.  See
   [RFC3986] for security considerations relating to URIs.  See
   [RFC7230] for security considerations relating to HTTP headers.

NIT: I suggest referencing the "Security Considerations" sections directly, instead of just referring to the entire document.