[secdir] Secdir review of draft-hollenbeck-rfc4930bis-02

[Catherine Meadows <catherine.meadows@nrl.navy.mil>]

I have reviewed this document as part of the security directorate's  
ongoing effort to review all IETF documents being processed by the  
IESG. These comments were written primarily for the benefit of the  
security area directors.  Document editors and WG chairs should treat  
these comments just like any other last call comments.

Note:  I recently submitted a review of draft-hollenbeck- 
rfc4933bis-02.  That was a mistake on my part; that was not the  
document I was supposed to review.
Sandy Murphy is down for reviewing that one.  I am supposed to review  
this one.  This document is the update of the based specification of   
EPP, and so is related to rfc4933bis-02.

I've also had some discussion with Sandy about the issue she raised  
with respect to draft-hollenbeck-rfc4933bis-02.  That is actually what  
I first thought it was:  EPP only does a weak form of authentication.
So it depends on strong authentication done at the transport level or  
application level.  However there is nothing in the document that I  
can see
that says that the EPP ID must match the transport ID.  Thus, if it is  
relying on the
authentication being done at the transport level, there appears to be  
nothing to prevent the transport level channel being replaced by  
another one at some point.  I am not enough of an expert on EPP
to make a definite recommendation as to how or whether this needs to  
be addressed, but I feel that this is something that needs to be  
brought to the attention of the IESG and discussed in the next  
telechat.   If the
issue does need to be addressed, rfc4930bis is the place where it  
should be handled.

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil