[secdir] Secdir last call review of draft-ietf-core-dev-urn-08

Brian Weis via Datatracker <noreply@ietf.org> Thu, 03 December 2020 19:57 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F2D03A0983; Thu, 3 Dec 2020 11:57:45 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Brian Weis via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: last-call@ietf.org, draft-ietf-core-dev-urn.all@ietf.org, core@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.23.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <160702546541.14061.15940689920006174458@ietfa.amsl.com>
Reply-To: Brian Weis <bew.stds@gmail.com>
Date: Thu, 03 Dec 2020 11:57:45 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/HkvhTmiKLluSkrjJCvogdl6YrNk>
Subject: [secdir] Secdir last call review of draft-ietf-core-dev-urn-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 19:57:46 -0000

Reviewer: Brian Weis
Review result: Serious Issues

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should
treat these comments just like any other last call comments.

The summary of the review is Ready with nits.

This document generally defines a new URN namespace for hardware
device identifiers, and then further defines the URN body layout
for several types of devices, where devices are identified by a
global identity (e.g., a MAC address, organizational-specific serial
number, etc.).

Long-term identifiers have privacy considerations, and these are
well documented here.

Here are some things that ought to be thought about:

(1) The Security Considerations section seems to focus on concerns
around devices not allowing the device identifiers to be modified,
and gives rather broad advice about a DEV URN implementation
faithfully representing the device. It would be good for this section
to also warn implementors of the risks of a DEV URN being transmitted
without integrity protection. That is, if the device faithfully
represents itself, a man in the middle changing the DEV URN in a
protocol may cause the system using the device to not manage the
device properly, or in some manner inappropriately adjust the privileges
allowed by the device within that system.

(2) Section 1 says about privacy “Note that long-term stable unique
identifiers are problematic for privacy reasons and should be used
with care or avoided as described in [RFC7721].” Given the later
guidance that “The DEV URN type SHOULD only be used for persistent
identifiers”, I think the “or avoided” portion of that sentence is
inappropriate for this document.

(3) Section 5 begins with “The following three examples provide
examples of MAC-based, 1-Wire, and Cryptographic identifiers”. There 
are now more than three examples provided (thanks for that!), and 
it appears that cryptographic identifiers have ben removed in an
earlier draft.