Last Call Review of draft-ietf-vcarddav-webdav-mkcol-
review-ietf-vcarddav-webdav-mkcol-secdir-lc-canetti-2009-08-18-00

***   I have reviewed this document as part of the security directorate's
***   ongoing effort to review all IETF documents being processed by the
***   IESG.  These comments were written primarily for the benefit of the
***   security area directors.  Document editors and WG chairs should treat
***   these comments just like any other last call comments.


The draft describes an update for the MKCOL request in WebDAV. The update


essentially allows for establishing a generic collection on the server (in 


XML), thus reducing the need for creating additional methods.




The document states that this generalization has no security implications.



I'm far from being a WebDAV or XML expert, and it might well be the case 


that the document is correct in this assertion. But, at least on the face 


of things, it seems that allowing clients to make generic XML MKCOL 


requests might make it harder for servers to protect against compromise by 


malicious clients. (At least some of the curbs that were put before, by 


forcing specific MKCOL requests per application, may now be removed.)  It 


might be good to discuss this potential concern and clarify its 


relevance/irrelevance.




Best,

Ran