Re: [secdir] secdir review for draft-holmberg-dispatch-rfc7315-updates-07

Christer Holmberg <> Tue, 12 July 2016 09:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BB9EC12B026; Tue, 12 Jul 2016 02:31:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QPdi-URvslug; Tue, 12 Jul 2016 02:31:33 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DC45A128874; Tue, 12 Jul 2016 02:31:32 -0700 (PDT)
X-AuditID: c1b4fb3a-f79386d00000467b-f8-5784b8f13c26
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id 91.D6.18043.1F8B4875; Tue, 12 Jul 2016 11:31:29 +0200 (CEST)
Received: from ([]) by ([]) with mapi id 14.03.0294.000; Tue, 12 Jul 2016 11:31:29 +0200
From: Christer Holmberg <>
To: "" <>, "" <>, "" <>, "" <>
Thread-Topic: secdir review for draft-holmberg-dispatch-rfc7315-updates-07
Thread-Index: AQHR1+8cuqB1sCfCAE+GA8aRMX4gMaAMMLswgAhxqwA=
Date: Tue, 12 Jul 2016 09:31:28 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHIsWRmVeSWpSXmKPExsUyM2K7tO7HHS3hBpe/WlusfuxrMePPRGaL DwsfslhcmDaL3YHFY8mSn0wes3dNYvH4cvkzWwBzFJdNSmpOZllqkb5dAlfGh70N7AUNwhWz JjYwNzDO4O9i5OCQEDCRWHytsIuRE8gUk7hwbz1bFyMXh5DAEUaJU42f2SGcxYwSZ19vYQJp YBOwkOj+pw0SFxFoYJK43d3MDtItLOApMbV1AxuILSLgJXG/7TmUbSWxsusZE4jNIqAqsWv1 LhYQmxcovqf9GDOILSRQIXH/0i4wm1PAVeLiq14wmxHoou+n1oD1MguIS9x6Mp8J4lIBiSV7 zjND2KISLx//YwWxRQX0JL5/nQ0VV5T4+GofI0SvnsSNqVPYIGxriXu/t7FD2NoSyxa+Zoa4 R1Di5MwnLBMYxWchWTcLSfssJO2zkLTPQtK+gJF1FaNocWpxcW66kZFealFmcnFxfp5eXmrJ JkZgLB7c8ttqB+PB546HGAU4GJV4eBfcaw4XYk0sK67MPcQowcGsJMK7Zn1LuBBvSmJlVWpR fnxRaU5q8SFGaQ4WJXFe/5eK4UIC6YklqdmpqQWpRTBZJg5OqQbGOe9S2m7EpKybM6GaNTfm 28YOeRs17o3WqyZocjy2LlqVfcI25Y90/P6q1GW7bP1O3M7zUGG8+2AuI/e+ZZfZdiVm8fGy L3XcW/iE5+7JP5N0ln5/3dXf3rHLzuaNXJ2ouDyrrZzwJN6Lfm4OnVXT1p7Pm+dVFePtN/2h 4fvDbMtu2U00PW2qxFKckWioxVxUnAgAiXfzYMECAAA=
Archived-At: <>
Subject: Re: [secdir] secdir review for draft-holmberg-dispatch-rfc7315-updates-07
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Jul 2016 09:31:35 -0000

Hi Steve,

Thanks for your comments! Please see inline.

>I have reviewed this document as part of the security directorate's
>ongoing effort to review all IETF documents being processed by the
>IESG.  These comments were written primarily for the benefit of the
>security area directors.  Document editors and WG chairs should treat
>these comments just like any other last call comments.
>This document updates RFC 7315 by changing restrictions on where
>certain SIP private header extensions may be included, in order to
>address new 3GPP use cases.
>This document is Ready with nits.
>I know little about SIP or 3GPP. I do know security, though.
>After reading this document and also reading the Security
>Considerations section of RFC 7315, I believe that this document
>is OK from a security standpoint. Few new security issues are
>raised by this document and those that arise are properly
>documented in the Security Considerations section of this
>document. However, there are a few typos in the Security
>Considerations section.
>* The second sentence of the Security Considerations section
>   ends with "the security considerations and assumptions (e.g.
>   regarding only sending information to trusted entities) also
>   to those messages." This clause is missing a verb. Maybe the
>   word "apply" should appear before "to those messages². Also,
>   greater clarity could be achieved by changing "the security
>   considerations and assumptions" in that sentence fragment to
>   "the security considerations and assumptions described in
>   RFC 7315".

I¹ll fix as suggested:


"This specification allows some header fields to be
   present in messages where they were previously not
allowed, and the security considerations and assumptions
described in [RFC7315] (e.g. regarding only sending
   information to trusted entities) also apply to those

>* In the third sentence of the Security Considerations section,
>   "disallow" should be "disallows" and "message" should be
>   "messages".

I¹ll fix as suggested.

>* In the fourth sentence of the Security Considerations section,
>   "if a header field occur" should be "if a header field occurs".

I¹ll fix as suggested.

>With these minor changes, I think the document will be ready
>to go from a security standpoint.