[secdir] Secdir review of draft-ietf-dime-erp-14
Vincent Roca <vincent.roca@inria.fr> Sun, 04 November 2012 21:55 UTC
Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB95D21F87F5; Sun, 4 Nov 2012 13:55:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.248
X-Spam-Level:
X-Spam-Status: No, score=-110.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5SXgQ8dngRT; Sun, 4 Nov 2012 13:55:18 -0800 (PST)
Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82]) by ietfa.amsl.com (Postfix) with ESMTP id 8C33721F86AE; Sun, 4 Nov 2012 13:55:17 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.80,711,1344204000"; d="scan'208,217"; a="180091315"
Received: from ral119r.vpn.inria.fr ([128.93.178.119]) by mail1-relais-roc.national.inria.fr with ESMTP/TLS/AES128-SHA; 04 Nov 2012 22:55:14 +0100
From: Vincent Roca <vincent.roca@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail-16-96758462"
Date: Sun, 04 Nov 2012 22:55:13 +0100
Message-Id: <5DE1DFCC-00A7-4F54-BF14-75878273895C@inria.fr>
To: IESG IESG <iesg@ietf.org>, draft-ietf-dime-erp.all@tools.ietf.org, secdir@ietf.org
Mime-Version: 1.0 (Apple Message framework v1085)
X-Mailer: Apple Mail (2.1085)
Subject: [secdir] Secdir review of draft-ietf-dime-erp-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2012 21:55:18 -0000
Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. -- The security section of this document is pretty simple as it refers to the security section of 4 related documents and that's all. On the opposite, each of these 4 documents includes a very detailed security analysis. The contrast is extremely important! This is all the more annoying as draft-ietf-dime-erp-14 introduces new mechanisms, and thereby new potential threats and issues (it's usually the case). What should I understand? Is the proposal guaranteed to be secure? Or have all the potential weaknesses been already addressed in the 4 related documents? I can not conclude after reading this security section and this is a problem. So, I'd like that the authors clarify this, and if need be, I'd like the authors explicitly mention which items in each of the 4 related documents apply. It would be helpful IMHO. Cheers, Vincent