[secdir] Secdir review of draft-hollenbeck-rfc4930bis-02
Catherine Meadows <catherine.meadows@nrl.navy.mil> Tue, 14 July 2009 13:56 UTC
Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1449E3A67A4; Tue, 14 Jul 2009 06:56:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[AWL=-0.400, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mNl192ps9L3R; Tue, 14 Jul 2009 06:56:37 -0700 (PDT)
Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by core3.amsl.com (Postfix) with ESMTP id 045013A6B94; Tue, 14 Jul 2009 06:56:36 -0700 (PDT)
Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.6/8.13.6) with ESMTP id n6EDu7BU013530; Tue, 14 Jul 2009 09:56:07 -0400 (EDT)
Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.6/8.13.6) with SMTP id n6EDu1HI025284; Tue, 14 Jul 2009 09:56:05 -0400 (EDT)
Received: from gilgamesh.fw5540.net ([10.0.3.67]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2009071409560326065 ; Tue, 14 Jul 2009 09:56:03 -0400
Message-Id: <73F6E47F-B165-4018-A822-F49908F8A8DD@nrl.navy.mil>
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
To: secdir@ietf.org, iesg@ietf.org, Scott Hollenbeck <shollenbeck@verisign.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-5-837106205"
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Tue, 14 Jul 2009 09:56:02 -0400
X-Mailer: Apple Mail (2.935.3)
Subject: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2009 13:56:38 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Note: I recently submitted a review of draft-hollenbeck- rfc4933bis-02. That was a mistake on my part; that was not the document I was supposed to review. Sandy Murphy is down for reviewing that one. I am supposed to review this one. This document is the update of the based specification of EPP, and so is related to rfc4933bis-02. I've also had some discussion with Sandy about the issue she raised with respect to draft-hollenbeck-rfc4933bis-02. That is actually what I first thought it was: EPP only does a weak form of authentication. So it depends on strong authentication done at the transport level or application level. However there is nothing in the document that I can see that says that the EPP ID must match the transport ID. Thus, if it is relying on the authentication being done at the transport level, there appears to be nothing to prevent the transport level channel being replaced by another one at some point. I am not enough of an expert on EPP to make a definite recommendation as to how or whether this needs to be addressed, but I feel that this is something that needs to be brought to the attention of the IESG and discussed in the next telechat. If the issue does need to be addressed, rfc4930bis is the place where it should be handled. Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil
- [secdir] Secdir review of draft-hollenbeck-rfc493… Catherine Meadows
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Catherine Meadows
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Sandra Murphy
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Sandra Murphy
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Sandra Murphy
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Alexey Melnikov
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Nicolas Williams
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Nicolas Williams
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott