Re: draft-fielding-uri-rfc2396bis-03, section 7 from Roy T. Fielding on 2004-02-16 (uri@w3.org from February 2004)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Sun, 15 Feb 2004 20:39:44 -0800
To: Martin Duerst <duerst@w3.org>
Cc: uri@w3.org
Message-Id: <24902674-603A-11D8-8468-000393753936@gbiv.com>

On Wednesday, June 18, 2003, at 08:44  AM, Martin Duerst wrote:
> 7.1: It is unclear how 'Reliability and Consistency' relate
>      to security. In some cases, these are related, in others,
>      they are independent.
>
>      I suggest adding some additional text, e.g.:
>
>      Therefore, if the information retrieved from an URI is
>      used for security-relevant operations, or if the operation
>      triggered by the URI itself is security-relevant, means
>      other than just checking the identity of the URI
>      (i.e. checking the actual information returned,...)
>      are necessary.

I don't think this needs further clarification -- Security as a topic
is more general than authentication and authorization, and I don't
want to define it in this spec.

> 7.2: 'via a SMTP server' -> 'via an SMTP server'

Fixed.

> 7.2, last paragraph (about escaped delimiters, e.g. for TCP):
>      This is a valid security concern, but I think it is unclear
>      and too general.

It has been rewritten since draft 03.

> Please add: Spoofing by using visually similar URIs.
> This is a consideration that is missing, but that is important.
> It is somewhat related to 7.5, and may go in there, but it is
> different in nature in that there is much closer visual similarity.
> For text, I suggest you look at section 7 of
> http://www.w3.org/International/iri-edit/draft-duerst-iri-03.txt,
> in particular the paragraphs on spoofing, and scale that down
> to the ASCII-only context.

I don't have any advice that I can give to implementers regarding
ASCII letter/number confusion; IRI has a much harder task here.

> Please add: Some security consideration corresponding to attacks
> such as Nimda. This is somewhat related to the 'unescaping'
> issue at the end of 7.3, but is different in that unescaping
> occurs on the server side, and in the wrong order (e.g.
> unescaping slashes after checking security but before
> parsing and execution) or to a greater extent than appropriate
> (e.g. wrongly unescaping 'overlong UTF-8' encodings of
> syntactic characters, or doing too many rounds of unescaping
> (e.g. unescaping %252F twice: %252F -> %2F -> /). For text,
> please see the first paragraph of section 7 in
> http://www.w3.org/International/iri-edit/draft-duerst-iri-03.txt.

I have added a new section on back-end transcoding.

....Roy

Received on Sunday, 15 February 2004 23:38:42 UTC