[Gen-art] Gen-ART Telechat Review of draft-ietf-radext-radsec-11

Pete McCann <mccap@petoni.org> Tue, 31 January 2012 03:17 UTC

Return-Path: <mccap@petoni.org>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B32721F85E6 for <gen-art@ietfa.amsl.com>; Mon, 30 Jan 2012 19:17:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5diWEYxNEoRF for <gen-art@ietfa.amsl.com>; Mon, 30 Jan 2012 19:17:31 -0800 (PST)
Received: from mail-tul01m020-f172.google.com (mail-tul01m020-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 526EA21F85E5 for <gen-art@ietf.org>; Mon, 30 Jan 2012 19:17:31 -0800 (PST)
Received: by obbwd15 with SMTP id wd15so36135obb.31 for <gen-art@ietf.org>; Mon, 30 Jan 2012 19:17:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=petoni.org; s=google; h=mime-version:x-originating-ip:date:message-id:subject:from:to :content-type; bh=EPePNEweIv7GuuoxEWXQkwV4djBa4JOm17Q7m/oddKw=; b=bjdqT7G0b+b7IcJ4dw9890Y932G4lCfr2oR/eHIDfcMCf8uN+aCeY16KA/PKQezC6R 9aAmOMBikQ5LrYXIRC6jKHD2h9JGUTLsSLRajK2fQSzhJ+KXnq+per00o7qkQquen8HM W/3yf01PJiZtPkf46+R8bRoAyGgTu2CskayPA=
MIME-Version: 1.0
Received: by 10.182.0.48 with SMTP id 16mr5959190obb.23.1327979850877; Mon, 30 Jan 2012 19:17:30 -0800 (PST)
Received: by 10.60.15.35 with HTTP; Mon, 30 Jan 2012 19:17:30 -0800 (PST)
X-Originating-IP: [68.45.157.93]
Date: Mon, 30 Jan 2012 22:17:30 -0500
Message-ID: <CACvMsLGwVVF3x92O7j-eBjC4_PZ2EC_DuP-pgi1E-4-XkqT6SA@mail.gmail.com>
From: Pete McCann <mccap@petoni.org>
To: gen-art@ietf.org, draft-ietf-radext-radsec.all@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [Gen-art] Gen-ART Telechat Review of draft-ietf-radext-radsec-11
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2012 03:17:32 -0000

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
< http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please wait for direction from your document shepherd
or AD before posting a new version of the draft.

Document: draft-ietf-radext-radsec-11
Reviewer: Peter McCann
Review Date: 2012-01-30
IETF LC End Date:
IESG Telechat date: 2012-02-02

Summary: 2 minor issues

Major issues: none

Minor issues:

Section 2.4:
   In TLS-X.509 with PKI infrastructure, a client is uniquely identified
   by the serial number of the tuple (presented client
   certificate;Issuer).
SHOULD BE:
   In TLS-X.509 with PKI infrastructure, a client is uniquely identified
   by the tuple (serial number of presented client certificate;Issuer).

Because RADIUS supports the Disconnect Request (server-to-client) message,
it seems that there is some requirement to keep the TLS session open for the
duration of the access that was authorized.  Otherwise, the server would not be
able to send such a packet to the client without initiating its own
TLS connection
which may not be possible or desirable.  Is this aspect of the specification
inherited from the referenced TCP specification?  It may be helpful to
add a paragraph
about this issue.

Nits/editorial comments:

Section 2.3:
   x.y.z
Did you mean to fill in a real section number here?

   Note Section 3.4 (1) )
Missing open paren?