[Gen-art] Genart last call review of draft-ietf-stir-certificates-15
Joel Halpern <jmh@joelhalpern.com> Fri, 17 November 2017 06:56 UTC
Return-Path: <jmh@joelhalpern.com>
X-Original-To: gen-art@ietf.org
Delivered-To: gen-art@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id AFFBC128DE5; Thu, 16 Nov 2017 22:56:14 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Joel Halpern <jmh@joelhalpern.com>
To: gen-art@ietf.org
Cc: draft-ietf-stir-certificates.all@ietf.org, stir@ietf.org, ietf@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.66.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <151090177468.22136.5281729043778955691@ietfa.amsl.com>
Date: Thu, 16 Nov 2017 22:56:14 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/sukVvNsSsoD79cpOuRTGYsgH74M>
Subject: [Gen-art] Genart last call review of draft-ietf-stir-certificates-15
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 06:56:15 -0000
Reviewer: Joel Halpern
Review result: Ready
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please treat these comments just
like any other last call comments.
For more information, please see the FAQ at
<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
Document: draft-ietf-stir-certificates-15
Reviewer: Joel Halpern
Review Date: 2017-11-16
IETF LC End Date: 2017-11-30
IESG Telechat date: 2017-12-14
Summary:
Major issues:
Minor issues:
Section 4 bullet 4 in naming the crypto algorithms refers quite clearly to
2 algorithms. It then references one of them as RS256. I assume those
versed in the field will know which one is meant. But it would be better
if the abbreviation RS256 appeared next to the first reference to whichever
algorithm it means.
The security considerations section points to RFC 5280 security
considerations for most issues. I presume that the intention is to use
that section regarding trusting CAs. However, it seems that there is an
issue here much like that of classic web CAs. The number of CAs that must
be trusted seems to be on the order of the number of countries in the
world. That seems to leave a large window for false or misleading
certifications, as I can see nothing which restricts what numbers for which
those top level CAs can provide attestation. I presume we do not want to
go down the path of requiring an uber-CA for all national authorities. I
would expect some explicit recognition of this issue in this document.
Nits/editorial comments:
- [Gen-art] Genart last call review of draft-ietf-s… Joel Halpern
- Re: [Gen-art] Genart last call review of draft-ie… Sean Turner
- Re: [Gen-art] Genart last call review of draft-ie… Joel Halpern Direct
- Re: [Gen-art] [stir] Genart last call review of d… Gorman, Pierce A [CTO]
- Re: [Gen-art] Genart last call review of draft-ie… Alissa Cooper