uri-reference allows insecure protocols | Redfish Specification Forum

josephreynolds1
Guppy

Posts: 61

uri-reference allows insecure protocols Mar 31, 2021 16:02:16 GMT

Quote

Post by josephreynolds1 on Mar 31, 2021 16:02:16 GMT

Where is uri-reference defined? I want to know which protocols a service is required to accept.

For example, in the Redfish EventDestination schema, the Destination property format is uri-reference. Is it okay for this to accept only https destinations (and not accept http)?

Related: Can the Redfish spec DSP0266 > "Security details" > "Transport Layer Security (TLS) protocol" section be updated to discourage use of insecure transport protocols? My suggestion is weaker than making deprecating the use of insecure transport protocols. For example:

Services are discouraged from accepting insecure transport protocols such as http and ws, and are encouraged offer only secure protocols such as https and wss.

Last Edit: Mar 31, 2021 23:12:48 GMT by josephreynolds1: correct phrasing error

mraineri
Administrator

Posts: 1,132

uri-reference allows insecure protocols Mar 31, 2021 19:50:43 GMT

Quote

Post by mraineri on Mar 31, 2021 19:50:43 GMT

"uri-reference" is defined by JSON Schema: json-schema.org/understanding-json-schema/reference/string.html

"URI Reference (either a URI or a relative-reference), according to RFC3986, section 4.1."

You can certainly impose additional restrictions for your implementation if you want to provide that sort of protection; all we guarantee from a schema perspective is that it meets the requirements of the schema language.

We can talk more about the discouragement text. There have been use cases in certain applications where HTTP is desirable from a performance perspective, such as the dedicated network host interface, so I'd be concerned about the interpretation for some of those types of use cases.

josephreynolds1
Guppy

Posts: 61

uri-reference allows insecure protocols Mar 31, 2021 23:21:21 GMT

Quote

Post by josephreynolds1 on Mar 31, 2021 23:21:21 GMT

Thanks for your explanation and clarification. That was my main question. The followup is just to make it easier to find the answer the next time.

I believe that over time all uses of insecure transport protocols will be scrutinized, and more will be secured, including your dedicated host network interface use case. Perhaps:
Services are encouraged to only offer protocols which have transport layer security. For example, a `uri-reference` accepts https or wss but not http or ws.