[secdir] secdir review of draft-hollenbeck-rfc4932bis-01

Chris Lonvick <clonvick@cisco.com> Mon, 01 June 2009 19:08 UTC

Return-Path: <clonvick@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 6922D3A6A0D; Mon, 1 Jun 2009 12:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id scZpf+NB6Kdh; Mon, 1 Jun 2009 12:08:11 -0700 (PDT)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com []) by core3.amsl.com (Postfix) with ESMTP id BD6F93A6944; Mon, 1 Jun 2009 12:08:11 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.41,285,1241395200"; d="scan'208";a="78625217"
Received: from sj-dkim-2.cisco.com ([]) by sj-iport-5.cisco.com with ESMTP; 01 Jun 2009 19:08:12 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com []) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n51J8Cnx012616; Mon, 1 Jun 2009 12:08:12 -0700
Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com []) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n51J8Cwd012604; Mon, 1 Jun 2009 19:08:12 GMT
Date: Mon, 01 Jun 2009 12:08:11 -0700
From: Chris Lonvick <clonvick@cisco.com>
To: iesg@ietf.org, secdir@ietf.org, shollenbeck@verisign.com
Message-ID: <Pine.GSO.4.63.0906011152370.13437@sjc-cde-011.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=922; t=1243883292; x=1244747292; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=clonvick@cisco.com; z=From:=20Chris=20Lonvick=20<clonvick@cisco.com> |Subject:=20secdir=20review=20of=20draft-hollenbeck-rfc4932 bis-01 |Sender:=20; bh=/mQePsTSVRmEBTBhfhsKn/KiQLbA1NpXrbi0/mMTxdE=; b=OkfuDQUeLimUzWyh3tO2kUgZEDq33isixOC7X17azKfCyMpVJHcSq3PpAx iA3vzydICXJkhrQMkxp8eS692y1lBfeXNYB5t/phTQKH1Wx7mMo9bnj+f+JO zw8if92Iym;
Authentication-Results: sj-dkim-2; header.From=clonvick@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Subject: [secdir] secdir review of draft-hollenbeck-rfc4932bis-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2009 19:08:12 -0000


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

I found security-related problems in my review of the document.

I did see, however, that the Security Considerations, which point back 
to ID 4930.bis, are very similar to the security considerations in RFC 
4930.  They hint that a secure transport is needed to thwart common mitm 
attacks but the section does not give any specific guidance.

It has been two years since RFC 4930 was published.  Have any secure 
transports been used?  If so, I think it would be a good idea to state 
which one(s) and how its attributes do thwart the threats.

Best regards,