[secdir] Secdir review of draft-ietf-dime-erp-14

Vincent Roca <vincent.roca@inria.fr> Sun, 04 November 2012 21:55 UTC

Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB95D21F87F5; Sun, 4 Nov 2012 13:55:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.248
X-Spam-Level:
X-Spam-Status: No, score=-110.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5SXgQ8dngRT; Sun, 4 Nov 2012 13:55:18 -0800 (PST)
Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82]) by ietfa.amsl.com (Postfix) with ESMTP id 8C33721F86AE; Sun, 4 Nov 2012 13:55:17 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.80,711,1344204000"; d="scan'208,217"; a="180091315"
Received: from ral119r.vpn.inria.fr ([128.93.178.119]) by mail1-relais-roc.national.inria.fr with ESMTP/TLS/AES128-SHA; 04 Nov 2012 22:55:14 +0100
From: Vincent Roca <vincent.roca@inria.fr>
Content-Type: multipart/alternative; boundary=Apple-Mail-16-96758462
Date: Sun, 4 Nov 2012 22:55:13 +0100
Message-Id: <5DE1DFCC-00A7-4F54-BF14-75878273895C@inria.fr>
To: IESG IESG <iesg@ietf.org>, draft-ietf-dime-erp.all@tools.ietf.org, secdir@ietf.org
Mime-Version: 1.0 (Apple Message framework v1085)
X-Mailer: Apple Mail (2.1085)
Subject: [secdir] Secdir review of draft-ietf-dime-erp-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2012 21:55:18 -0000

Hello,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

--

The security section of this document is pretty simple as it refers to
the security section of 4 related documents and that's all. On the
opposite, each of these 4 documents includes a very detailed security
analysis.  The contrast is extremely important!

This is all the more annoying as draft-ietf-dime-erp-14 introduces new
mechanisms, and thereby new potential threats and issues (it's usually
the case).

What should I understand? Is the proposal guaranteed to be secure?
Or have all the potential weaknesses been already addressed in the
4 related documents? I can not conclude after reading this security section
and this is a problem.

So, I'd like that the authors clarify this, and if need be, I'd like the authors
explicitly mention which items in each of the 4 related documents apply.
It would be helpful IMHO.


Cheers,

   Vincent