IETF Logo Mail Archive

[abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-04

"Black, David" <david.black@emc.com> Mon, 08 July 2013 20:44 UTC

Return-Path: <david.black@emc.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B91621F9E18; Mon, 8 Jul 2013 13:44:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SYiHA9L0gMKd; Mon, 8 Jul 2013 13:44:26 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 798DA21F9E0D; Mon, 8 Jul 2013 13:44:24 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r68KhwW7016168 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 8 Jul 2013 16:44:07 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd03.lss.emc.com [10.254.221.145]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Mon, 8 Jul 2013 16:43:43 -0400
Received: from mxhub12.corp.emc.com (mxhub12.corp.emc.com [10.254.92.107]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r68Khg2q012722; Mon, 8 Jul 2013 16:43:43 -0400
Received: from mxhub40.corp.emc.com (128.222.70.107) by mxhub12.corp.emc.com (10.254.92.107) with Microsoft SMTP Server (TLS) id 8.3.297.1; Mon, 8 Jul 2013 16:43:42 -0400
Received: from mx15a.corp.emc.com ([169.254.1.184]) by mxhub40.corp.emc.com ([128.222.70.107]) with mapi; Mon, 8 Jul 2013 16:43:42 -0400
From: "Black, David" <david.black@emc.com>
To: "Black, David" <david.black@emc.com>, "stefan.winter@restena.lu" <stefan.winter@restena.lu>, "jsalowey@cisco.com" <jsalowey@cisco.com>, General Area Review Team <gen-art@ietf.org>
Date: Mon, 08 Jul 2013 16:43:41 -0400
Thread-Topic: Gen-ART review of draft-ietf-abfab-eapapplicability-04
Thread-Index: Ac5rzQ3h5Vr98eb9RParuraCHgwUcgQTfgIg
Message-ID: <8D3D17ACE214DC429325B2B98F3AE712983F2C87@MX15A.corp.emc.com>
References: <8D3D17ACE214DC429325B2B98F3AE71298265158@MX15A.corp.emc.com>
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71298265158@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: "abfab@ietf.org" <abfab@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: [abfab] Gen-ART review of draft-ietf-abfab-eapapplicability-04
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 20:44:31 -0000

The -04 version of this draft resolves the minor issue noted in
the Gen-ART review of the -03 version.

There is a remaining editorial nit, in that the one use of
"non-network" in the -04 version would benefit from clarification.
I suggest the following text change to the start of the paragraph
that's split across pages 3 and 4 (change is to last line of excerpt):

OLD
   Operators need to carefully consider the security implications before
   relaxing these requirements.  One potentially serious attack exists
   when channel binding is not required and EAP authentication is
   introduced into an existing non-network service.

NEW
   Operators need to carefully consider the security implications before
   relaxing these requirements.  One potentially serious attack exists
   when channel binding is not required and EAP authentication is
   introduced into an existing service other than network access.
	
Thanks,
--David

> -----Original Message-----
> From: Black, David
> Sent: Monday, June 17, 2013 10:39 PM
> To: stefan.winter@restena.lu; jsalowey@cisco.com; General Area Review Team
> Cc: ietf@ietf.org; abfab@ietf.org; Black, David
> Subject: Gen-ART review of draft-ietf-abfab-eapapplicability-03
> 
> I am the assigned Gen-ART reviewer for this draft. For background on
> Gen-ART, please see the FAQ at
> 
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
> 
> Please resolve these comments along with any other Last Call comments
> you may receive.
> 
> Document: draft-ietf-abfab-eapapplicability-03
> Reviewer: David L. Black
> Review Date: June 17, 2003
> IETF LC End Date: June 17, 2003
> 
> Summary:
> This draft is on the right track but has open issues, described in the review.
> 
> This draft updates the applicability statement for EAP to include usage
> for application layer access via EAP over GSSAPI.  Additional security
> requirements are introduced for environments in which EAP is used for
> that purpose.
> 
> I found one open issue, which is minor, and may be editorial
> 
> Major issues: None
> 
> Minor issues: One
> 
> The next to last paragraph on p.3 begins with this sentence:
> 
>    For these reasons, channel binding MUST be implemented by peers, EAP
>    servers and AAA servers in environments where EAP authentication is
>    used to access application layer services.
> 
> It appear that this "MUST" requirement applies to all uses of EAP,
> including network access authentication, not just application layer access
> authentication.  If so, that's not immediately obvious from the text, and
> an additional sentence should be added to make this clearer.  If not,
> the above sentence needs to exclude network access authentication from
> that requirement.
> 
> Nits/editorial comments:
> 
> The same paragraph (p.3) continues with:
> 
>    In addition, channel
>    binding MUST default to being required by peers for non-network
>    authentication.  If the EAP server is aware that authentication is
>    for something other than a network service, it too MUST default to
>    requiring channel binding.
> 
> What is meant by "non-network authentication" and "other than a network
> service"?  If those mean "other than for network access authentication"
> as the term "network access authentication" is used in section 1 and
> RFC 3748, that meaning should be clarified.
> 
> idnits 2.12.17 generated this comment:
> 
>   -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
>      have content which was first submitted before 10 November 2008.  If you
>      have contacted all the original authors and they are all willing to grant
>      the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
>      this comment.  If not, you may need to add the pre-RFC5378 disclaimer.
>      (See the Legal Provisions document at
>      http://trustee.ietf.org/license-info for more information.)
> 
> idnits appears to be confused ;-).  The -00 version of this draft is from
> 2012,
> and this draft does not contain sufficient material from RFC 3748 that would
> raise that concern, so this comment should be ok to ignore.
> 
> Thanks,
> --David
> ----------------------------------------------------
> David L. Black, Distinguished Engineer
> EMC Corporation, 176 South St., Hopkinton, MA  01748
> +1 (508) 293-7953             FAX: +1 (508) 293-7786
> david.black@emc.com        Mobile: +1 (978) 394-7754
> ----------------------------------------------------

v2.23.0 | Report a Bug | By Email