Last Call Review of draft-ietf-vcarddav-webdav-mkcol-
review-ietf-vcarddav-webdav-mkcol-secdir-lc-canetti-2009-08-18-00

Request Review of draft-ietf-vcarddav-webdav-mkcol
Requested rev. no specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2009-08-25
Requested 2009-08-03
Other Reviews
Review State Completed
Reviewer Ran Canetti
Review review-ietf-vcarddav-webdav-mkcol-secdir-lc-canetti-2009-08-18
Posted at http://www.ietf.org/mail-archive/web/secdir/current/msg00874.html
Draft last updated 2009-08-18
Review completed: 2009-08-18

Review
review-ietf-vcarddav-webdav-mkcol-secdir-lc-canetti-2009-08-18

***   I have reviewed this document as part of the security directorate's
***   ongoing effort to review all IETF documents being processed by the
***   IESG.  These comments were written primarily for the benefit of the
***   security area directors.  Document editors and WG chairs should treat
***   these comments just like any other last call comments.


The draft describes an update for the MKCOL request in WebDAV. The update


essentially allows for establishing a generic collection on the server (in 


XML), thus reducing the need for creating additional methods.




The document states that this generalization has no security implications.



I'm far from being a WebDAV or XML expert, and it might well be the case 


that the document is correct in this assertion. But, at least on the face 


of things, it seems that allowing clients to make generic XML MKCOL 


requests might make it harder for servers to protect against compromise by 


malicious clients. (At least some of the curbs that were put before, by 


forcing specific MKCOL requests per application, may now be removed.)  It 


might be good to discuss this potential concern and clarify its 


relevance/irrelevance.




Best,

Ran