Telechat Review of draft-ietf-core-problem-details-05
review-ietf-core-problem-details-05-secdir-telechat-nir-2022-06-14-00
| Request | Review of | draft-ietf-core-problem-details |
|---|---|---|
| Requested revision | No specific revision (document currently at 08) | |
| Type | Telechat Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2022-06-14 | |
| Requested | 2022-06-09 | |
| Authors | Thomas Fossati , Carsten Bormann | |
| I-D last updated | 2022-06-14 | |
| Completed reviews |
I18ndir Last Call review of -05
by Harald T. Alvestrand
(diff)
Artart Last Call review of -05 by Harald T. Alvestrand (diff) Opsdir Last Call review of -04 by Joel Jaeggli (diff) Genart Last Call review of -05 by Gyan Mishra (diff) Secdir Telechat review of -05 by Yoav Nir (diff) |
|
| Assignment | Reviewer | Yoav Nir |
| State | Completed | |
| Request | Telechat review on draft-ietf-core-problem-details by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/O2jATwRhuR-69Q4G-Oc6Fcfe8vQ | |
| Reviewed revision | 05 (document currently at 08) | |
| Result | Has nits | |
| Completed | 2022-06-14 |
review-ietf-core-problem-details-05-secdir-telechat-nir-2022-06-14-00
Greetings The document defines a CBOR-encoded problem details structure, similar to the JSON- or XML-encoded structure defined in RFC 7807. As such, the security considerations for it mostly mirror those of RFC 7807, and that is all that the Security Considerations section says. Following this reference, the Security Considerations section of 7807 urges caution when defining new problem types for fear of leaking sensitive information in the relevant fields of new types. There is, however, a difference between 7807 and this document. In 7807 different problems are identified by "type". In this document, there is no explicit type. Instead, there are basic details that are defined, plus a registry of standard and custom extra attributes that can be defined. The security considerations section in 7807 is phrased in terms of new types. Security considerations text written specifically for this documentation would not mention new types (which don't exist), but new detail entries. Still, the message would be the same. When defining new detail entries, care should be taken that they do not leak sensitive information. Yet because of the difference, I believe that the text should be written specifically for this document, not just referenced from 7807.