IETF Logo Mail Archive

[secdir] security review of draft-edwards-urn-smpte-02

"Tobias Gondrom" <tgondrom@opentext.com> Wed, 03 October 2007 12:39 UTC

Return-path: <ietf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Id3Vr-0007YD-4c; Wed, 03 Oct 2007 08:39:39 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcMoy-0001jV-QS; Mon, 01 Oct 2007 11:04:32 -0400
Received: from mucmx01.ixos.de ([149.235.128.48]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IcMou-0005Dp-6s; Mon, 01 Oct 2007 11:04:28 -0400
Received: from mucpm01.smtp.dmz.opentext.com (localhost [127.0.0.1]) by mucmx01.ixos.de (8.12.10+Sun/8.12.10) with ESMTP id l91F4JBW004486; Mon, 1 Oct 2007 17:04:20 +0200 (MEST)
Received: from MUCXGC2.opentext.net (mucxg04.opentext.net [149.235.128.138]) by mucpm01.smtp.dmz.opentext.com (8.13.8/8.13.8) with ESMTP id l91F4Iwc027028; Mon, 1 Oct 2007 11:04:18 -0400 (envelope-from tgondrom@opentext.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 01 Oct 2007 17:04:17 +0200
Message-ID: <2666EB2A846BAC4BB2D7F593301A786801AB1F20@MUCXGC2.opentext.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [secdir] security review of draft-edwards-urn-smpte-02
Thread-Index: AcgEPFapcdF0JlIOSU2Nh0D4fhQHmA==
From: Tobias Gondrom <tgondrom@opentext.com>
To: secdir@mit.edu, iesg@ietf.org, chris.newman@sun.com
X-Archived: msg.AEkjesn:2007-10-01:mucpm01.smtp.dmz.opentext.com
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2fe944273194be3112d13b31c91e6941
X-Mailman-Approved-At: Wed, 03 Oct 2007 08:39:15 -0400
Cc: tedwards@pbs.org, ietf@ietf.org
Subject: [secdir] security review of draft-edwards-urn-smpte-02
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0019752620=="
Errors-To: ietf-bounces@ietf.org

Hello, 

I have re-reviewed this document (draft-edwards-urn-smpte-02) as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  
These comments were written primarily for the benefit of the security area directors.  Document editor should treat these comments just like any other last call comments.

Note: this is a revisit of the document as the first security review has been conducted on version-01 on May 8th, 2007 with no major findings but 5 comments.
I still agree with the author that this document introduces no security issues other than those normally associated with the use and resolution of URNs in general. 


All comments from the former security review have been resolved. 
No new problems have been introduced.


Which leaves two minor comments on version-02:
1. minor editorial comment: 
Section 8 references: 
"Society of Motion Picture and Television Engineers,
"Uniform Resource Names for SMPTE Resources", SMPTE 2029,
<http://www.smpte.org> (to be published)."

Should be changed to 
"Society of Motion Picture and Television Engineers,
"Uniform Resource Names for SMPTE Resources", SMPTE 2029-2007
<http://www.smpte.org>"

As the SMPTE-2029-2007 document has been actually published (as had been required for the draft to proceed). 
Now just the reference text needs to be updated. 


2. and the personal comment/note from the version-01 remains as I did not receive feedback on this one: 
a) I am not sure that SMPTE really needs a formal URN, and why an informal URN would not be sufficient. But this should be decided by the community. 
Note: draft version-02 introduced some justification about the need for this new namespace in section 5 of the draft. But from my personal view this mainly equals to "we need our(SMPTE) own URN which is exclusively under our(SMPTE) control". As a reason this may not be considered a real reason/value by itself and thus may not be sufficient. 

b) As the organization seems mainly focussed on the North American Continent, it might also be a good idea to pursue via independent expert reviews the question whether there exist potential namespace conflicts with other international organizations in this area (Motion Picture and Television) like e.g. ARIB (Association of Radio Industries and Businesses) or others. 



Best regards, Tobias Gondrom




__________________________________________
Tobias Gondrom
Head of Open Text Security Team
Director, Product Security

Open Text
Technopark 2
Werner-von-Siemens-Ring 20
D-85630 Grasbrunn

Phone: +49 (0) 89 4629-1816
Mobile: +49 (0) 173 5942987
Telefax: +49 (0) 89 4629-33-1816
eMail: mailto:tobias.gondrom@opentext.com 
Internet: http://www.opentext.com/  

Place of Incorporation / Sitz der Gesellschaft: Open Text GmbH, Werner-von-Siemens-Ring 20, 85630 Grasbrunn, Germany | Phone: +49 (0) 89 4629 0 | Fax: +49 (0) 89 4629 1199 | Register Court / Registergericht: München, Germany | Trade Register Number / HRB: 168364 | VAT ID Number /USt-ID: DE 114 169 819 | Managing Director / Geschäftsführer: John Shackleton, Walter Köhler


_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email