IETF Logo Mail Archive

Re: [Ecrit] Re: [Geopriv] RFC 3205 & HELD

Lisa Dusseault <lisa@osafoundation.org> Thu, 08 November 2007 19:52 UTC

Return-path: <geopriv-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IqDQV-0003qv-Dz; Thu, 08 Nov 2007 14:52:31 -0500
Received: from geopriv by megatron.ietf.org with local (Exim 4.43) id 1IqDQU-0003qq-Ej for geopriv-confirm+ok@megatron.ietf.org; Thu, 08 Nov 2007 14:52:30 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IqDQU-0003qi-1N for geopriv@ietf.org; Thu, 08 Nov 2007 14:52:30 -0500
Received: from laweleka.osafoundation.org ([204.152.186.98]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IqDQT-00034P-7o for geopriv@ietf.org; Thu, 08 Nov 2007 14:52:29 -0500
Received: from localhost (laweleka.osafoundation.org [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id 4681514220D; Thu, 8 Nov 2007 11:52:28 -0800 (PST)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mqruvs8BofHh; Thu, 8 Nov 2007 11:52:19 -0800 (PST)
Received: from [10.1.1.107] (unknown [157.22.41.236]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by laweleka.osafoundation.org (Postfix) with ESMTP id 83230142210; Thu, 8 Nov 2007 11:52:19 -0800 (PST)
In-Reply-To: <472DF1C5.4060808@gmx.net>
References: <4724626A.3030806@gmx.net> <47249A6E.5080808@bbn.com> <47249B43.9050204@gmx.net> <833469F6-60AB-4EA9-A038-AEAA0F992382@cisco.com> <472DF1C5.4060808@gmx.net>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <46A1292D-7C8E-4059-8521-8F111E33BCFF@osafoundation.org>
Content-Transfer-Encoding: 7bit
From: Lisa Dusseault <lisa@osafoundation.org>
Subject: Re: [Ecrit] Re: [Geopriv] RFC 3205 & HELD
Date: Thu, 08 Nov 2007 11:52:16 -0800
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
X-Mailer: Apple Mail (2.752.3)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 68ba2b07ef271dba6ee42a93832cfa4c
Cc: GEOPRIV <geopriv@ietf.org>
X-BeenThere: geopriv@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Geographic Location/Privacy <geopriv.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:geopriv@ietf.org>
List-Help: <mailto:geopriv-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=subscribe>
Errors-To: geopriv-bounces@ietf.org

BCP 56 gets a worse rap than it deserves.  It's quite right that with  
great power (the flexibility in HTTP) comes great danger.  We don't  
always define new ports and schemes for new applications transported  
over HTTP, but that's because convenience is trumping security  
caution in most of those cases.

The danger of arbitrary URLs and HTTP URLs in particular came up  
recently in SIEVE notifications, a case which I'll explain has some  
relevance for Geopriv scenarios.

In the SIEVE notification framework, an email can trigger a  
notification over some other protocol.  It would be useful if the  
notification had a link to the email that triggered it.  Then the  
client can jump straight from the notification to the important  
email.  Naturally, this will be a URL in the notification body or  
headers.

But what kind of URL?  It should not be a "mailto:" or "tel:" style  
URL because there's nothing sensible the client can do with that.  It  
should not be allowed to be a "data:" URL that contains the whole  
email, some script instructions, or arbitrary other crap which might  
even be dangerous if it were used too trustingly.  It should of  
course be allowed to be an IMAP or POP URL (in fact, we should  
recommend to clients that support these notifications that they be  
able to handle IMAP or POP URLs).

But what about HTTP or Web mail?  Can these notifications contain  
HTTP URLs which may be direct pointers to the triggering email?   
Since Web mail systems are so common of course this would be useful.   
Unfortunately, it's potentially one of the most dangerous kinds of  
URLs we commonly see.  Clicking on an HTTP URL can lead to 404 Not  
Found; even though "cool URLs don't change", many do in practice.  It  
can be useless because although it retrieves a resource, that  
resource is a MIME type like PDF or PNG that the client doesn't know  
what to do with.  It can lead to a fancy HTML page with frames and  
scripts and logos and buttons: again, a rich client doesn't know what  
to do with this so it gets handed off to a fully capable browser.   
Hello phishing platform -- a handy way for a phisher to draw a user  
neatly through a familiar process in which they provide their email  
password to an attacker.

Since Geopriv is also contemplating HTTP URLs, this will be a similar  
issue.  Perhaps Geopriv can do a little better because the resource  
to be found at a location URL has a better defined content type than  
non-standardized Web mail does.

In general:
  - Fields that can contain arbitrary URLs are bad for interoperability
  - Fields that can contain HTTP URLs without clear expectations on  
what kind of resource must be at the URL, can also be bad for  
interoperability
  - These can both be bad for security and privacy

Lisa


On Nov 4, 2007, at 8:22 AM, Hannes Tschofenig wrote:

> Yep; I think so too.
>
> I personally think it is much simpler not to change port numbers  
> even for non-Web browsing applications.
> However, I got the impression that these issues might come up  
> during IETF Last Call / IESG processing given that there is this  
> BCP document that talks about this subject.
>
> Ciao
> Hannes
>
>
> Cullen Jennings wrote:
>>
>> This was one of the topics where I think Lisa as a technical  
>> advisor for the group can come in very helpful.
>>
>> On Oct 28, 2007, at 7:22 AM, Hannes Tschofenig wrote:
>>
>>> RFC 3205 essentially says: If you use HTTP for things other than  
>>> webbrowsing then you should register a new URI scheme and use a  
>>> different port number.
>>>
>>> I was wondering what people think about that idea.
>>>
>>>
>>> Richard Barnes wrote:
>>>> It's also worth noting that RFC 3205 is just a set of  
>>>> recommendations, not anything binding.  Since the document  
>>>> doesn't make a general requirement for ALL http-based protocols  
>>>> to have a different URI scheme and port number, was there  
>>>> something in particular about HELD that led you to those  
>>>> requirements?
>>>>
>>>> We should probably have this same debate about LoST, although it  
>>>> may be mostly subsumed by previous discussions.  (Cross-posted  
>>>> to ECRIT)
>>>>
>>>> --RB
>>>>
>>>>
>>>>
>>>>
>>>> Hannes Tschofenig wrote:
>>>>> I have read RFC 3205 and my impression is that for HELD we have to
>>>>> * define a new URI scheme, and
>>>>> * use a different port number.
>>>>>
>>>>> Thoughts?
>>>>>
>>>>> Ciao
>>>>> Hannes
>>>>>
>>>>> PS: What is the value of WSDL in the HELD specification?
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Geopriv mailing list
>>>>> Geopriv@ietf.org
>>>>> https://www1.ietf.org/mailman/listinfo/geopriv
>>>>>
>>>
>>>
>>> _______________________________________________
>>> Ecrit mailing list
>>> Ecrit@ietf.org
>>> https://www1.ietf.org/mailman/listinfo/ecrit
>
>
>
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www1.ietf.org/mailman/listinfo/geopriv



_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv

v2.23.0 | Report a Bug | By Email