- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Sun, 15 Feb 2004 20:39:44 -0800
- To: Martin Duerst <duerst@w3.org>
- Cc: uri@w3.org
On Wednesday, June 18, 2003, at 08:44 AM, Martin Duerst wrote: > 7.1: It is unclear how 'Reliability and Consistency' relate > to security. In some cases, these are related, in others, > they are independent. > > I suggest adding some additional text, e.g.: > > Therefore, if the information retrieved from an URI is > used for security-relevant operations, or if the operation > triggered by the URI itself is security-relevant, means > other than just checking the identity of the URI > (i.e. checking the actual information returned,...) > are necessary. I don't think this needs further clarification -- Security as a topic is more general than authentication and authorization, and I don't want to define it in this spec. > 7.2: 'via a SMTP server' -> 'via an SMTP server' Fixed. > 7.2, last paragraph (about escaped delimiters, e.g. for TCP): > This is a valid security concern, but I think it is unclear > and too general. It has been rewritten since draft 03. > Please add: Spoofing by using visually similar URIs. > This is a consideration that is missing, but that is important. > It is somewhat related to 7.5, and may go in there, but it is > different in nature in that there is much closer visual similarity. > For text, I suggest you look at section 7 of > http://www.w3.org/International/iri-edit/draft-duerst-iri-03.txt, > in particular the paragraphs on spoofing, and scale that down > to the ASCII-only context. I don't have any advice that I can give to implementers regarding ASCII letter/number confusion; IRI has a much harder task here. > Please add: Some security consideration corresponding to attacks > such as Nimda. This is somewhat related to the 'unescaping' > issue at the end of 7.3, but is different in that unescaping > occurs on the server side, and in the wrong order (e.g. > unescaping slashes after checking security but before > parsing and execution) or to a greater extent than appropriate > (e.g. wrongly unescaping 'overlong UTF-8' encodings of > syntactic characters, or doing too many rounds of unescaping > (e.g. unescaping %252F twice: %252F -> %2F -> /). For text, > please see the first paragraph of section 7 in > http://www.w3.org/International/iri-edit/draft-duerst-iri-03.txt. I have added a new section on back-end transcoding. ....Roy
Received on Sunday, 15 February 2004 23:38:42 UTC