[secdir] sec-dir review of draft-ietf-bfcpbis-rfc4582bis-13

"Olafur Gudmundsson" <ogud@ogud.com> Tue, 10 March 2015 13:37 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BF1F1A88A4 for <secdir@ietfa.amsl.com>; Tue, 10 Mar 2015 06:37:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vuJ2zL41Kmcu for <secdir@ietfa.amsl.com>; Tue, 10 Mar 2015 06:37:18 -0700 (PDT)
Received: from smtp66.iad3a.emailsrvr.com (smtp66.iad3a.emailsrvr.com [173.203.187.66]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EB6E1A8901 for <secdir@ietf.org>; Tue, 10 Mar 2015 06:36:56 -0700 (PDT)
Received: from smtp1.relay.iad3a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp1.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 969A8180550; Tue, 10 Mar 2015 09:36:55 -0400 (EDT)
Received: from app47.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp1.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 6C6F9180542; Tue, 10 Mar 2015 09:36:55 -0400 (EDT)
X-Sender-Id: ogud@ogud.com
Received: from app47.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.4.2); Tue, 10 Mar 2015 13:36:55 GMT
Received: from ogud.com (localhost.localdomain [127.0.0.1]) by app47.wa-webapps.iad3a (Postfix) with ESMTP id 42DD438004E; Tue, 10 Mar 2015 09:36:55 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: ogud@ogud.com, from: ogud@ogud.com) with HTTP; Tue, 10 Mar 2015 09:36:55 -0400 (EDT)
Date: Tue, 10 Mar 2015 09:36:55 -0400 (EDT)
From: "Olafur Gudmundsson" <ogud@ogud.com>
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-bfcpbis-rfc4582bis@tools.ietf.org
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_20150310093655000000_34834"
Importance: Normal
X-Priority: 3 (Normal)
X-Type: html
X-Auth-ID: ogud@ogud.com
Message-ID: <1425994615.27221597@apps.rackspace.com>
X-Mailer: webmail/11.3.13-RC
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/-eiKuif4gkYm57UxiSCEev7gShk>
Subject: [secdir] sec-dir review of draft-ietf-bfcpbis-rfc4582bis-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 13:37:19 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts.  Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.
 
 
This document is a replacement document for RFC4582 
 
 
 
The document is well written and is ready to be published with a Nit.
I did not look for textual nits only evaluated
 
the document from security perspective.
 
 
 
Authenticaion and message integrity are recommended but outsourced to 
 
TLS, and DTLS. 
 
 
Nit: The security section does address the issues of pervasive monitoring. 
 
It does not provide any information what an obsever
 
may learn by sniffing traffic at the BFCP server, i.e. other than
 
discover participants IP addresses, possibly their identies depending
 
on how authentication is done, as well as their roles and actions? 
 
Olafur