Last Call Review of draft-reschke-webdav-post-
review-reschke-webdav-post-secdir-lc-santesson-2010-05-03-00

Request Review of draft-reschke-webdav-post
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-05-07
Requested 2010-04-15
Other Reviews
Review State Completed
Reviewer Stefan Santesson
Review review-reschke-webdav-post-secdir-lc-santesson-2010-05-03
Posted at http://www.ietf.org/mail-archive/web/secdir/current/msg01650.html
Draft last updated 2010-05-03
Review completed: 2010-05-03

Review
review-reschke-webdav-post-secdir-lc-santesson-2010-05-03

Title: 

SecDir revirw of draft-reschke-webdav-post-06





I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.





This document inherits the security considerations of WebDAV as well as XML. RFC 4918 clearly identifies that WebDAV, through its nature of providing users with capabilities to change and collect information from web servers, introduces a number of security issues which need to be addressed through means of protected and authenticated communication.





Rather than introducing completely new functions to WebDAV, the current draft specifies the meaning existing functions as well as means of discovering server support for this draft.





From this perspective I can’t see that this draft introduce new risks that are not already addressed in the security considerations section of this draft or inherited sections form other documents (such as RFC 4918).





/Stefan Santesson