Skip to main content

Last Call Review of draft-ietf-vcarddav-webdav-mkcol-

Request Review of draft-ietf-vcarddav-webdav-mkcol
Requested revision No specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2009-08-25
Requested 2009-08-03
Authors Cyrus Daboo
I-D last updated 2009-08-18
Completed reviews Secdir Last Call review of -?? by Ran Canetti
Assignment Reviewer Ran Canetti
State Completed
Request Last Call review on draft-ietf-vcarddav-webdav-mkcol by Security Area Directorate Assigned
Completed 2009-08-18
***   I have reviewed this document as part of the security directorate's
***   ongoing effort to review all IETF documents being processed by the
***   IESG.  These comments were written primarily for the benefit of the
***   security area directors.  Document editors and WG chairs should treat
***   these comments just like any other last call comments.

The draft describes an update for the MKCOL request in WebDAV. The update

essentially allows for establishing a generic collection on the server (in 

XML), thus reducing the need for creating additional methods.

The document states that this generalization has no security implications.

I'm far from being a WebDAV or XML expert, and it might well be the case 

that the document is correct in this assertion. But, at least on the face 

of things, it seems that allowing clients to make generic XML MKCOL 

requests might make it harder for servers to protect against compromise by 

malicious clients. (At least some of the curbs that were put before, by 

forcing specific MKCOL requests per application, may now be removed.)  It 

might be good to discuss this potential concern and clarify its