[secdir] Secdir last call review of draft-ietf-modern-problem-framework-03

Yoav Nir <ynir.ietf@gmail.com> Fri, 16 February 2018 19:21 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 952E81200C1; Fri, 16 Feb 2018 11:21:39 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Yoav Nir <ynir.ietf@gmail.com>
To: <secdir@ietf.org>
Cc: modern@ietf.org, draft-ietf-modern-problem-framework.all@ietf.org, ietf@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.72.2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <151880889952.1465.16611057002784350280@ietfa.amsl.com>
Date: Fri, 16 Feb 2018 11:21:39 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/1WiFmubNoAKo3qAhNu4be35g10w>
Subject: [secdir] Secdir last call review of draft-ietf-modern-problem-framework-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2018 19:21:40 -0000

Reviewer: Yoav Nir
Review result: Has Nits

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. Document
editors and others should treat these comments just like any other late last
call comments.

The document is well-written although it uses a lot of jargon without defining
it first. For example:

                         An increasing number of enterprises, over-the-
   top voice-over-IP (VoIP) providers

VoIP I understand. What is over-the-top? Since the target audience is IETF
people who are more well-versed in telephony jargon than I am, this is probably
fine.

What I didn't like about this is the introduction in section 1. It reads like a
marketing document rather than a technical one. For example:

   The challenges of utilizing telephone numbers (TNs) on the Internet
   have been known for some time.

It's only challenging if I want to use a TN on the Internet. Why do I want to
do that?

   Thanks to the increasing sophistication of consumer mobile devices as
   Internet endpoints as well as telephones, users now associate TNs
   with many Internet applications other than telephony.

So because my phone is so sophisticated and has IP, I now associate phone
numbers with Internet applications?  Why?

The Security Considerations section is fine, but I think this is one draft that
should have privacy considerations either as a separate section or as a
paragraph in the Security Considerations section. It should be called out that
the administrative data often contains PII - real names and addresses of users
and the usage of phone numbers as identifiers on the Internet allows for
mapping these real names and addresses to transactions on the Internet.  I
think this deserves a mention