[secdir] Secdir review of draft-ietf-geopriv-deref-protocol-03
Charlie Kaufman <charliek@microsoft.com> Sun, 30 October 2011 03:44 UTC
Return-Path: <charliek@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CC5F21F848F; Sat, 29 Oct 2011 20:44:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2pLbVAk5P62Q; Sat, 29 Oct 2011 20:44:39 -0700 (PDT)
Received: from smtp.microsoft.com (mail2.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 0347F21F8468; Sat, 29 Oct 2011 20:44:39 -0700 (PDT)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Sat, 29 Oct 2011 20:44:38 -0700
Received: from TK5EX14MBXC110.redmond.corp.microsoft.com ([169.254.1.89]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.01.0339.002; Sat, 29 Oct 2011 20:44:38 -0700
From: Charlie Kaufman <charliek@microsoft.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-geopriv-deref-protocol.all@tools.ietf.org" <draft-ietf-geopriv-deref-protocol.all@tools.ietf.org>
Thread-Topic: Secdir review of draft-ietf-geopriv-deref-protocol-03
Thread-Index: AcyWtH7xvsetFgKuTCGqY+7jCENKOw==
Date: Sun, 30 Oct 2011 03:44:37 +0000
Message-ID: <D80EDFF2AD83E648BD1164257B9B091241567FCC@TK5EX14MBXC110.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [secdir] Secdir review of draft-ietf-geopriv-deref-protocol-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2011 03:44:39 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document specifies a protocol over http (and optionally over TLS) for dereferencing a Presence Information Data Format Location Object. This data is sensitive and there is likely to be an authorization policy saying who can get it. This spec is careful to enumerate the various ways that authorization decision might be made without specifying how one would specify any particular policy. I believe it therefore manages to evade any security scrutiny. (Use of TLS is recommended and is an appropriate way to secure the protocol itself). I found one typo: page 11: specfies -> specifies --Charlie
- [secdir] Secdir review of draft-ietf-geopriv-dere… Charlie Kaufman