[secdir] SECDIR review of draft-igoe-secsh-x509v3-06
David McGrew <mcgrew@cisco.com> Thu, 18 November 2010 20:18 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 36A713A68CF; Thu, 18 Nov 2010 12:18:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3aC2tzS2j9ey; Thu, 18 Nov 2010 12:18:28 -0800 (PST)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 42CBA3A6811; Thu, 18 Nov 2010 12:18:28 -0800 (PST)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAAIZ5UyrR7Ht/2dsb2JhbACiV3GkDJs4hUsEhFqGAA
X-IronPort-AV: E=Sophos;i="4.59,218,1288569600"; d="scan'208";a="219888017"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-4.cisco.com with ESMTP; 18 Nov 2010 20:19:05 +0000
Received: from stealth-10-32-254-214.cisco.com (stealth-10-32-254-214.cisco.com [10.32.254.214]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id oAIKJ1Lh015137; Thu, 18 Nov 2010 20:19:02 GMT
Message-Id: <085BE277-7C5F-4479-944D-A2DBD4447CEA@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: secdir@ietf.org, IESG <iesg@ietf.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Thu, 18 Nov 2010 12:19:01 -0800
X-Mailer: Apple Mail (2.936)
Cc: douglas@stebila.ca, "Kevin M. Igoe" <kmigoe@nsa.gov>
Subject: [secdir] SECDIR review of draft-igoe-secsh-x509v3-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 20:18:29 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other review comments. The document describes how to use X509 and OCSP within SSH. It is clearly written, and the security considerations section is appropriate (it mostly points to the relevant sections in the SSH, X509, and OCSP RFCs). I have one nit, which is wording that authors might want to change for clarity. Section 4 says "The mapping between certificates and host names is left as an implementation and configuration issue for implementers and system administrators." I believe that what is meant is that "The method that the server uses to verify that the host certificate and key actually belongs to the client host named in the message is out of scope of this note", to use language from RFC 4252. regards, David
- [secdir] SECDIR review of draft-igoe-secsh-x509v3… David McGrew