Re: [secdir] Secdir review of draft-ietf-clue-telepresence-requirements-06

Mary Barnes <mary.ietf.barnes@gmail.com> Thu, 05 December 2013 16:36 UTC

Return-Path: <mary.ietf.barnes@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16F641AE0A3; Thu, 5 Dec 2013 08:36:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vIEr81M-qxWt; Thu, 5 Dec 2013 08:36:06 -0800 (PST)
Received: from mail-we0-x232.google.com (mail-we0-x232.google.com [IPv6:2a00:1450:400c:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id A0CC71AE0D9; Thu, 5 Dec 2013 08:36:05 -0800 (PST)
Received: by mail-we0-f178.google.com with SMTP id u57so11314258wes.9 for <multiple recipients>; Thu, 05 Dec 2013 08:36:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=U1maxBOQ3gsWuaw9Yx9K3NerEPHpCc73gDL0h6n3lHk=; b=fHJiClWsbnpQTWYum47Y09DH28uB7kDwmAFlEMK/i8xauuV9p4ZIs3N2BivL/4pRJR jCZyGz3aQfwMvwV//Pql0JpInBcM+yMdzhDYh0c47jxCUBIcKlJUNRL0akRmZZ45XxCl 0bKgnN5jcyjmpoox9SoMOPS9K/RXgpDpKM1xCpVjLVOXGcbfjhfE6q9ApQTkRpE/E35L ZzkaRnUmpGf3Bxt86QszMs2dk2yLVOkbZEHkCg0/saEuEIgeu47gaEBJXOorAETzOxs3 jmREyiqnmDGCXusoMujvMxk09pV0q/n54iCX1wLLpcv0WBtcj01nt2SB//y2ZYX98GB3 G73Q==
MIME-Version: 1.0
X-Received: by 10.180.198.79 with SMTP id ja15mr12440397wic.36.1386261361785; Thu, 05 Dec 2013 08:36:01 -0800 (PST)
Received: by 10.216.172.9 with HTTP; Thu, 5 Dec 2013 08:36:01 -0800 (PST)
In-Reply-To: <FE06B886-EB86-431E-86E3-B6B096265A9B@cisco.com>
References: <FE06B886-EB86-431E-86E3-B6B096265A9B@cisco.com>
Date: Thu, 05 Dec 2013 10:36:01 -0600
Message-ID: <CAHBDyN5spCFUh6t=FmsqKZ948j8mkcCDAGDnWBdZ4pvDC4+61g@mail.gmail.com>
From: Mary Barnes <mary.ietf.barnes@gmail.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Content-Type: multipart/alternative; boundary="047d7b6242520902bb04eccc2093"
X-Mailman-Approved-At: Thu, 05 Dec 2013 08:39:13 -0800
Cc: "draft-ietf-clue-telepresence-requirements.all@tools.ietf.org" <draft-ietf-clue-telepresence-requirements.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "<secdir@ietf.org>" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-clue-telepresence-requirements-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 16:36:08 -0000

Hi Joe,

Thanks for your review.  Comments below [MB].

Mary.


On Mon, Dec 2, 2013 at 7:07 PM, Joseph Salowey (jsalowey) <
jsalowey@cisco.com> wrote:

> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> This draft is ready with some minor issues.
>
> The draft discusses requirements for multi-stream telepresence.   I don't
> know much about telepresence, but the draft seems straight forward.  It
> does include a single requirement about security and it does have a
> security considerations section.   Although, I might like a bit more
> description about what "secure exchange" means it think it is probably
> sufficient.   The type of information that might be useful is what type of
> attacks or threats is of concern?

For example, does the information need to be secured to disclosure or
> modification by intermediaries or does have to allow modification by
> intermediaries.


[MB] We had considered adding this sort of information to the security
consideration section of this document, but it was extremely difficult as
we really didn't have appropriate language terminology to be at all
specific (even using the term "media capture" in the requirements is
pushing it).   So, more detail about the nature of the information and
potential security and privacy concerns will be described in the CLUE
Framework document (and of course, very specific details in the protocol
documents).  I wouldn't suggest you look at the framework document yet as
we still have an outstanding action item to complete that section.
[/MB]

>
> The one other question is whether the information about media captures has
> any privacy considerations.   For example is there geo-location or identity
> information exchanged?  Are there any long-term identifiers used?  If there
> is something that we know is going to be exchanged that is sensitive then
> it would probably be worth including in the requirements. It didn't seem
> that this type of data was required so this is probably more of a
> consideration for the protocol spec.
>
[MB]  Per my comment above, without the appropriate language and
terminology, we found that we really couldn't be specific about the
detailed information in the requirements document. Generally speaking the
information about the media captures likely reveals less information about
identity than does the information carried in the core signaling protocols
upon which the CLUE solution will depend - i.e., SIP and SDP.  We will of
course, discuss the relevant privacy concerns and current limitations in
the CLUE WG signaling solution document.  [/MB]

>
> Cheers,
>
> Joe
>
>
>