[i2rs] Ben Campbell's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)

"Ben Campbell" <ben@nostrum.com> Wed, 17 August 2016 21:11 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Ben Campbell <ben@nostrum.com>
To: The IESG <iesg@ietf.org>
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <147146828725.23668.4809857469458650681.idtracker@ietfa.amsl.com>
Date: Wed, 17 Aug 2016 14:11:27 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2rs/DaPkPRTVll6cnYC6QLCQN6YTP6M>
Cc: jhaas@pfrc.org, i2rs@ietf.org, i2rs-chairs@ietf.org, draft-ietf-i2rs-protocol-security-requirements@ietf.org
Subject: [i2rs] Ben Campbell's Discuss on draft-ietf-i2rs-protocol-security-requirements-07: (with DISCUSS and COMMENT)

Ben Campbell has entered the following ballot position for
draft-ietf-i2rs-protocol-security-requirements-07: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

In section 3.4, the text says that the requirements that the integrity
protection mechanisms can actually provide integrity protection are
SHOULD because some communication may occur over non-secure channels.
That does not follow, since the rationale is about use, while the actual
requirement is about capability.  As currently written, it leaves it
possible for people to select a protocol that cannot provide integrity
protection at all. I think the SHOULDs in 14 and 15 need to be MUSTS.

In the third paragaph of 3.2, Isn't the point to say that ephemeral data
MUST be sent over a secure transport unless the data model explicitly
labels it as safe for insecure transports? As written, it seems to leave
room to send data that is not labeled as safe to also be sent over
insecure transports.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

-2.1: I am on the fence about other's comments about copying definitions
here--but if you do copy them here, it seems strange to not mention
"client" or "agent".

I agree with Alissa about equating privacy and confidentiality.

-3.1,: 
I’m confused by the first paragraph. I don’t find strings of the form of
SEC-REQ-XX in 7921. I think _this_ doc sets these requirements, right?

It’s not clear to me how 5 and 6 differ. Is it just a matter of the
additional “before establishing a connection” part in 6?

-3.4: Isn't 15 simply a restatement of the third item under 14?

3.5: The  MAYs in 19 and 20 seem like statements of fact. (That is, do
they simply recognize reality, or to they  grant permission?)

Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Ben Campbell
Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Joel M. Halpern
[i2rs] Ben Campbell's Discuss on draft-ietf-i2rs-… Ben Campbell
Re: [i2rs] Ben Campbell's Discuss on draft-ietf-i… Susan Hares