Skip to main content

Last Call Review of draft-hammer-hostmeta-
review-hammer-hostmeta-secdir-lc-zeilenga-2010-07-30-00

Request Review of draft-hammer-hostmeta
Requested revision No specific revision (document currently at 17)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-07-23
Requested 2010-06-25
Authors Blaine Cook , Eran Hammer-Lahav
Draft last updated 2010-07-30
Completed reviews Secdir Last Call review of -?? by Kurt Zeilenga
Assignment Reviewer Kurt Zeilenga
State Completed
Review review-hammer-hostmeta-secdir-lc-zeilenga-2010-07-30
Completed 2010-07-30
review-hammer-hostmeta-secdir-lc-zeilenga-2010-07-30-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors should treat these comments just like any other last call
comments.

I have a number of security-related concerns with this specification.

First, I'm concerned by assumptions in the document that each of:


http://example.com



http://example.com:8080



https://example.com



https://example.com:8443

identify resources under the control of same entity.   It is fairly common to
there to be multiple http/https services running on a single host, each service
possibly operated by different entities as delegated by the "host"
administrator.  I think it would be better (from a security perspective) to
have "service"-level metadata, not "host" level meta data.  That is, make no
assumption that the above URIs are under control of the same entity, or even if
so, that it desirable to a single policy/metadata covering multiple services.

And I think it very important to always fetch the meta data from the service
one is accessing.  The document calls for client to fetch

https://example.com/.well-known/host-meta

 even when

https://example.com:8443

 is URI wants policy for.

Even worse, the document calls for the client to, if the above fetch does not
produce a "valid" hostmeta document, for the client to fetch

http://example.com/.well-known/host-meta

.  An attacker could easily cause

https://example.com/.well-known/host-meta

 to fail to produce a "valid" hostmeta document, and serve its own hostmeta
 document in response to the client's

http://example.com/.well-known/host-meta

, without supplanting the

https://example.com:8443

 service.

The document fails to discuss such attacks.

I recommend reworking this document to provide service-level, not host-level,
metadata.  In particular, the metadata document should always be retrieved
through the service the client is interested in using, such as by fetching
"/.well-known/metadata".

If the authors rather continue pursuing a "host-based" solution, the security
considerations should include a discussion of the above issues.

Regards, Kurt