[Gen-art] Gen-art LC review of draft-ietf-dime-erp-12
Elwyn Davies <elwynd@dial.pipex.com> Mon, 24 September 2012 22:03 UTC
Return-Path: <elwynd@dial.pipex.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 618CB1F0C8A for <gen-art@ietfa.amsl.com>; Mon, 24 Sep 2012 15:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.598
X-Spam-Level:
X-Spam-Status: No, score=-102.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rkF+wJgvi-3S for <gen-art@ietfa.amsl.com>; Mon, 24 Sep 2012 15:03:51 -0700 (PDT)
Received: from mk-outboundfilter-5.mail.uk.tiscali.com (mk-outboundfilter-5.mail.uk.tiscali.com [212.74.114.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20ADA1F041D for <gen-art@ietf.org>; Mon, 24 Sep 2012 15:03:50 -0700 (PDT)
X-Trace: 559376107/mk-outboundfilter-5.mail.uk.tiscali.com/PIPEX/$OFF_NET_AUTH_ACCEPTED/None/87.192.231.145/None/elwynd@dial.pipex.com
X-SBRS: None
X-RemoteIP: 87.192.231.145
X-IP-MAIL-FROM: elwynd@dial.pipex.com
X-SMTP-AUTH: elwynd@dial.pipex.com
X-MUA: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApIBAIrXYFBXwOeR/2dsb2JhbAANOMMCASgHDRYYAwIBAgFLDQEHAQGIDKUKk3aLGxSDVYJZA5VlgRWEOTWMeg6BWQ
X-IronPort-AV: E=Sophos; i="4.80,478,1344207600"; d="scan'208,217"; a="559376107"
X-IP-Direction: OUT
Received: from unknown (HELO [10.1.0.117]) ([87.192.231.145]) by smtp.pipex.tiscali.co.uk with ESMTP; 24 Sep 2012 23:03:44 +0100
Message-ID: <5060D8AB.8010807@dial.pipex.com>
Date: Mon, 24 Sep 2012 23:03:23 +0100
From: Elwyn Davies <elwynd@dial.pipex.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: General Area Review Team <gen-art@ietf.org>
Content-Type: multipart/alternative; boundary="------------040503010107030401050602"
Cc: draft-ietf-dime-erp.all@tools.ietf.org
Subject: [Gen-art] Gen-art LC review of draft-ietf-dime-erp-12
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 22:03:52 -0000
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-dime-erp-12.txt Reviewer: Elwyn Davies Review Date: 24 September 2012 IETF LC End Date: 24 September 2012 IESG Telechat date: (if known) - Summary: Almost ready for the IESG. There are some minor wording issues to sort out in s3, some advice on advertising domain names in s5 and possibly some extra words needed in the security considerations. In addition there a few minor nits. Major issues: None. Minor issues: s3: Both paragraphs use the phrase '...document assumes the existence of at most one...'. Does this really mean 'exactly one'? If not, what happens if there is exactly zero servers for either type? What would the consequences of there being more than one logical server? Is this tied into the statement in s4: > The ER server is located either in the home domain (same as EAP > server) or in the visited domain (same as authenticator, when it > differs from the home domain). This would seem to imply that the zero case means that it may not be essential to have an ER server in a domain. S3, para 1: > If multiple ER servers are deployed in the domain, we assume that > they can be used interchangeably. Are we talking physical servers here? If not please refer to the previous comment. s5, para 1: How would the authenticator advertise the domain name in this context? s13: Looking at the various security considerations that are imported, I wondered if some extra words were needed in respect of a couple of the cases: - s8.4 of RFC 4072: (does distributing the bootstrapping master key make things any worse here?) - s8 of RFC 6696 (does the DIME usage preserve the limited key scope?; is the domino effect equally well avoided?) Nits/editorial comments: s1: 'and re-use the Diameter EAP commands (DER/DEA).' : DER and DEA ought to be expanded here. Or it might be less verbose to point at s2 where they are currently expanded, thus: 'and re-use the Diameter EAP commands listed in Section 2.' s2, para 2: Need to expand acronyms rRK and rDSRK. s4, para 7: Should explicitly say that the ERP/DEA message is sent to the authenticator. s8.3.3: s/RGC 6696/RFC 6696/