[secdir] draft-ietf-geopriv-policy-uri-02

["Scott G. Kelly" <scott@hyperthought.com>]

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

This review is a little late -- sorry for the delay. From the abstract, 
"This document extends the current location configuration protocols to 
provide hosts with a reference to the rules that are applied to a URI, 
so that the host can view or set these rules." Specifically, it allows 
the host to view, set, or change privacy rules associated with its 
location URIs.

The document is well-written, and contains a security considerations 
section that addresses associated protocol threats. That section 
references two "classes of risks": risk of unauthorized disclosure of 
the protected resource, and risk of disclosure of the policy information 
itself.

Why isn't unauthorized manipulation of the policy information also 
listed as a risk? Actually, the second paragraph of the security 
considerations addresses this, ("The mechanism also needs to ensure that 
only authorized entities are able to acquire or alter policy."), but 
subsequent text seems to indicate that if the policy URI is not kept 
secret, there are no further protections.

Am I missing something here, or is secrecy of the URI really the only 
protection against unauthorized policy manipulation? I have to admit 
that I have no experience with these protocols, and it may be that this 
is addressed elsewhere (or truly doesn't matter), but it does feel a bit 
off.

--Scott