[secdir] secdir review of draft-ietf-pkix-tamp-05
"Glen Zorn" <gwz@net-zen.net> Mon, 01 March 2010 14:09 UTC
Return-Path: <gwz@net-zen.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4172728C32C for <secdir@core3.amsl.com>; Mon, 1 Mar 2010 06:09:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.166
X-Spam-Level:
X-Spam-Status: No, score=-2.166 tagged_above=-999 required=5 tests=[AWL=0.434, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Eu9zwUGuJMM for <secdir@core3.amsl.com>; Mon, 1 Mar 2010 06:09:46 -0800 (PST)
Received: from p3plsmtpa01-10.prod.phx3.secureserver.net (p3plsmtpa01-10.prod.phx3.secureserver.net [72.167.82.90]) by core3.amsl.com (Postfix) with SMTP id 7898328C336 for <secdir@ietf.org>; Mon, 1 Mar 2010 06:09:46 -0800 (PST)
Received: (qmail 12378 invoked from network); 1 Mar 2010 13:43:07 -0000
Received: from unknown (124.120.216.211) by p3plsmtpa01-10.prod.phx3.secureserver.net (72.167.82.90) with ESMTP; 01 Mar 2010 13:43:06 -0000
From: Glen Zorn <gwz@net-zen.net>
To: iesg@ietf.org, pkix-chairs@ietf.org, secdir@ietf.org, housley@vigilsec.com, srashmo@radium.ncsc.mil, cwallace@cygnacom.com
Date: Mon, 01 Mar 2010 20:42:49 +0700
Organization: Network Zen
Message-ID: <00c101cab945$18bf9090$4a3eb1b0$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acq5RRVibn8mZ1OlS8ShoPDUlMwmoA==
Content-Language: en-us
Subject: [secdir] secdir review of draft-ietf-pkix-tamp-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 14:09:47 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. EDITORIAL COMMENTS Section 1.2.2 says: Management trust anchors are used in the management of cryptographic modules. For example, the TAMP messages specified in this document are validated to a management trust anchor. Likewise, a signed firmware package as specified in [RFC4108] is validated to a management trust anchor. This might be better put as Management trust anchors are used in the management of cryptographic modules. For example, the TAMP messages specified in this document are validated by a management trust anchor. Likewise, a signed firmware package as specified in [RFC4108] is validated by a management trust anchor. In Section 1.3.4, s/The application-specific protocol processing MUST be provided the/The application-specific protocol processing MUST provide the/ Section 3, paragraph 3 says "Certificates include a signature, which removes the ability for relying parties to". Just a question: should "relying" in the sentence actually be "relaying"? In any case, "ability for" should probably be changed to "ability of". Suggestion: Section 4.4 says in two places "The status codes appear in the same order as the TrustAnchorUpdate structures to which they apply"; maybe "The status codes MUST appear in the same order as the TrustAnchorUpdate structures to which they apply" would be clearer. In Section 7, s/if the signer is not representated/if the signer is not represented/. The Security Considerations section is remarkably clear and comprehensive.