[secdir] SecDir review of draft-ietf-hip-rfc6253-bis-08

Sean Turner <sean@sn3rd.com> Fri, 24 June 2016 13:23 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 998E112B01B for <secdir@ietfa.amsl.com>; Fri, 24 Jun 2016 06:23:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oSZDDeum8LHi for <secdir@ietfa.amsl.com>; Fri, 24 Jun 2016 06:23:36 -0700 (PDT)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E06FF12D0C3 for <secdir@ietf.org>; Fri, 24 Jun 2016 06:23:35 -0700 (PDT)
Received: by mail-qk0-x230.google.com with SMTP id c73so145573007qkg.2 for <secdir@ietf.org>; Fri, 24 Jun 2016 06:23:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=0KU9wzKXe9NRrnXkcltu62Qz9rNN6oVg5sYZu0syuUc=; b=WmmSnr571fHSuklGLn3AFVq9IAnSQYPuoV4tcjVzC0wqxe3jKNIcZdxTYUNFCA4KQ1 wi8ua/716TEguhxQ/cP9HWx0thCIvZFXQXi84bE/JCp83OCRIa1ikF+yaeaDi+PxrTUb /363NDOit1MLOd3wWkitOTu1Wongbjw/C4eHE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=0KU9wzKXe9NRrnXkcltu62Qz9rNN6oVg5sYZu0syuUc=; b=mQuVr3/SnTnwMOpAqlJn7eHpai0vCychOX8Sd5Ar7afsLrhbN+3hPVKDSUJwFh8WkV ex1kB8RADsF/27hPi16v+6EoxbdiC0gRCsqGzuv9f3EYev5ApA+zSFNno5mms7EGlH5v 6yP3KiYWflb3mnxBGgShIVJ2OFR5miLpSVFvd6c0eYEOG+Ujf0ew3cDwWQsgs64zxALh zSjToQnOiKgWsDMVtBIcEwd9J5sW4Bh419vSPIVWwdhVEC4WRb6LUv0Iak8JWg0VrLBP mPthSNgtpEZ7Cb8NmGcPa/gRVx92PmragCtKarVJkHttFsCIDgWsUTH2B3CTsq98UXOO Lw9Q==
X-Gm-Message-State: ALyK8tIuiPRPQOEHEgW/c6t/kU4EKHBgcX2ppG7RrMWDB1uUPXrJRyJzK1TfnnGUBz3iLw==
X-Received: by 10.200.41.14 with SMTP id y14mr4808587qty.11.1466774614770; Fri, 24 Jun 2016 06:23:34 -0700 (PDT)
Received: from [172.16.0.112] ([96.231.230.69]) by smtp.gmail.com with ESMTPSA id 13sm2141759qki.3.2016.06.24.06.23.33 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 24 Jun 2016 06:23:34 -0700 (PDT)
From: Sean Turner <sean@sn3rd.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-Id: <915CE941-46AF-466F-A2B6-294AE387C538@sn3rd.com>
Date: Fri, 24 Jun 2016 09:23:32 -0400
To: secdir@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-hip-rfc6253-bis.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-_qT1SufKwILFcPx6CTgRRbJgEk>
Subject: [secdir] SecDir review of draft-ietf-hip-rfc6253-bis-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2016 13:23:38 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document specifies the certificate parameter and the error signaling in case of a failed verification.  Additionally, this document specifies the representations of Host Identity Tags in X.509 version 3 (v3).  This version deprecates the SPKI representations, makes use IAN and SAN SHOULD vice MUST, treats all revocation reasons as “revoked”, and doesn’t require that the entire cert path be sent.

Summary: Ship-It.

Comments: None.

spt