Re: Seeking Feedback on Capability URLs Draft from John Kemp on 2014-05-23 (www-tag@w3.org from May 2014)

From: John Kemp <john@jkemp.net>
Date: Fri, 23 May 2014 14:31:16 -0400
To: Daniel Appelquist <Daniel.Appelquist@telefonica.com>, www-tag <www-tag@w3.org>
Message-ID: <537F93F4.7090308@jkemp.net>

On 05/23/2014 09:28 AM, Daniel Appelquist wrote:
> Hi folks - as discussed, I’ve made a blog post
> http://www.w3.org/blog/TAG/2014/05/22/capability-urls-feedback/
> seeking some feedback on the Capability URLs draft. The goal here is
> to get some more eyeballs looking at this and feeding back to us so
> we can finalize this document and get it out the door as a finding by
> the July f2f. If you can help spread the word on this it will help
> get more feedback which will mean a better finding.

One rather more specific piece of feedback that I forgot to mention 
earlier is that a UUID may either be overkill for a capability URL, or 
it may be insufficient.

There are at least 4 versions of the UUID. Only one of these (version 4) 
provides something which is random enough to provide enough 
unguessability for most uses.

If one uses a UUID made from a MAC address (version 1) for example, then 
the MAC address may either be guessable, or directly available to an 
attacker, making the entropy contained in the UUID much lower, and thus 
the UUID/URL more guessable.

OWASP has good guidance on session identifiers which is relevant: 
https://www.owasp.org/index.php/Insufficient_Session-ID_Length

I would say that a better way to describe the requirement here is to 
recommend the use of a "cryptographically secure random number", 
suitably encoded. This random number should be large enough to resist 
brute-force attacks within the period of time that the URL is expected 
to remain accessible to the legitimate user.

A type 4 UUID with 122 bits of entropy, may suffice for some uses, if 
you follow the OWASP guidance, and your "session" is not long.

One should weigh these guidelines against the value of the item being 
addressed with the URL, and the ease of the attack. Both of these may 
either increase or reduce the number of bits you assign to a capability 
URL's unguessable component.

Cheers,

- johnk

>
> Thanks, Dan
>
> This electronic message contains information from Telefonica UK or
> Telefonica Europe which may be privileged or confidential. The
> information is intended to be for the use of the individual(s) or
> entity named above. If you are not the intended recipient be aware
> that any disclosure, copying distribution or use of the contents of
> this information is prohibited. If you have received this electronic
> message in error, please notify us by telephone or email.
> Switchboard: +44 (0)113 272 2000 Email: feedback@o2.com Telefonica UK
> Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in
> England and Wales: 1743099. VAT number: GB 778 6037 85 Telefonica
> Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered in
> England and Wales: 05310128. VAT number: GB 778 6037 85 Telefonica
> Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered
> in England and Wales: 7884976. VAT number: GB 778 6037 85
>

Received on Friday, 23 May 2014 18:31:53 UTC