[secdir] SecDir Review of draft-seantek-ldap-pkcs9-06

Yoav Nir <ynir.ietf@gmail.com> Tue, 09 August 2016 05:26 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10E5612D0B6; Mon, 8 Aug 2016 22:26:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 80L-rUuaFzCB; Mon, 8 Aug 2016 22:26:52 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8150512B062; Mon, 8 Aug 2016 22:26:52 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id o80so9822959wme.1; Mon, 08 Aug 2016 22:26:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=mCN4j1P3fVV2tK++DmY+4VEc07/Q3v6Uj73vTAi41is=; b=VXNfKyOC9sRtY7egGHG5/PjPZlmNJzhB22ChdPknwew/28vBQXK8TADVC5uoXYHhYV wX9Sxau/hCcbakuO4wn4lZfU7Lvn+1dZcYeuiYRqTy2bPCLpqRIELjtsFKLvXP9L/Q+B gZKZrChBXn4/msixjqheTYY0Ih3fm8y38BscZGFa/tfleNvScaYhv1G5Lv9Qdn4FpRSr lHlcL8FnkQZwXhkrntHhxFMpEu5CIOTZrQ0+PulpIp/Pao/Z7nNDEsGIPg2LcFGmFHoD 0XYfjHw1p4BbSO85isW3e3V1/A1bci/WrmSIysmxjlJ5X7Uhee0iaRD0ywNEBbILVN8T 0wfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=mCN4j1P3fVV2tK++DmY+4VEc07/Q3v6Uj73vTAi41is=; b=DwBLBQ/iVH0rjzh/6YYxoSHvtjpHbQypxfku9AL906M5ae0UjmSxjjokCGjVDkuKgY SuUF3IepO6dceQOA/b8X1XLKvNFqV9ys3B7xd963Ex/8jL44gjoKG70Czw6GMIEmNdXJ uBUfQz+Rh3RhF6kh90n3ram4oLlGePJWTT2NvR+Rm67p1qsbQ32lAMRpR7zYD0LLwcPC PHzkHIgHWI4vyY4m5XSUtGYlWNKhbcJhSK3uTxRWm1TrBbC2GnJYUU3r6TW1LXv/iPaz Xeg1W2W61BbV0zeaEWU9koPpWxQCtgI4Yzl50eP9UoegSmpQyDxwJSKLmMCMURq7GcTU Oi3Q==
X-Gm-Message-State: AEkoouuSAoGiM6+MyaiJgvawVVcDrgghpqBKFafKILRsPrrZHPUxQ5cCrrjkIGXKgzQljA==
X-Received: by 10.28.47.199 with SMTP id v190mr19761059wmv.28.1470720410832; Mon, 08 Aug 2016 22:26:50 -0700 (PDT)
Received: from [192.168.137.252] ([176.13.19.237]) by smtp.gmail.com with ESMTPSA id 207sm1382701wmb.7.2016.08.08.22.26.48 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 08 Aug 2016 22:26:49 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-Id: <A49645DE-A830-43F0-B3CB-CA09245483FB@gmail.com>
Date: Tue, 9 Aug 2016 08:26:41 +0300
To: secdir <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-seantek-ldap-pkcs9.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-KBtEuGo933p9c20TDaEMwjCeQ8>
Subject: [secdir] SecDir Review of draft-seantek-ldap-pkcs9-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2016 05:26:54 -0000

Note: I was assigned draft-seantek-ldap-pkcs9-05, but since version -06 was available, I reviewed that.

Summary: Ready with nits

The draft adds definitions from PKCS#9 to the IANA registry for LDAP. As such, the IANA Considerations section is the largest and most important type. The OIDs in the draft have already been defined in RFC 2985 (PKCS#9), which has a good Security Considerations, especially considering that it was written in 2000. Security considerations for this document are mostly those for LDAP and for PKCS#9.

Beyond regular LDAP security considerations, some of the attributes defined in this draft are privacy-sensitive. Section 6 calls out dateOfBirth and placeOfBirth, but the same could be said for gender and countryOfResidence, among others. 

I would have liked slightly stronger language than "may be subject to privacy laws in certain jurisdictions”. More like “are sensitive and the information should never be stored or transmitted unencrypted”

One nit about the structure. I believe sections 2, 3, and 5, each occupying less than two lines could all be combined into a single paragraph in the Introduction.

Yoav