[secdir] secdir review of draft-ietf-geojson-03

Melinda Shore <melinda.shore@gmail.com> Thu, 26 May 2016 06:16 UTC

Return-Path: <melinda.shore@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9425C12D675; Wed, 25 May 2016 23:16:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i7HUiXfFPE5P; Wed, 25 May 2016 23:16:39 -0700 (PDT)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com [IPv6:2607:f8b0:400e:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CE6B12D67C; Wed, 25 May 2016 23:16:04 -0700 (PDT)
Received: by mail-pf0-x229.google.com with SMTP id y69so27579380pfb.1; Wed, 25 May 2016 23:16:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:to:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=RD9U8t/2L/vRslfvo/rfoljIw5VAZYePv/Ds4lWf62U=; b=WNnqZEUVqjdhbzb3Q0Yxjikycz1fqiC5tH0J42CDWlQ4ryZ6vwmaMTdkHzYeIz2rY9 GJ1plCClFrptZSZNJBG+FhhnLsRGYCJMi+62TiA0oyPfU1ZRxGdmQsOrEHrMpa+aUlw5 iGSG9/yqvrjh54slRW9HZgSqruSUyMkammBsLIhrtgtaSPUUHvqd65W2yYXI7423VGcu nQwp0OVfdjxs25gas4rtB8r+onNvGg5vj15PuzYokRhEqE6+pkL3y2YnXmdYdM5WgoDP ks2utymIt4bPW5o8vPuvv4DQUWfXrdBBhcz0A6BUrFyARdftmt/3wiEBwv5iFbmunMjU AfYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=RD9U8t/2L/vRslfvo/rfoljIw5VAZYePv/Ds4lWf62U=; b=Bzp7MkQEJvQw/D2wyc49N8Xu0wPvzMDe5TgUBnC8CmbdEweZHAHML+smvPLBkir4q+ bBOzTJP/XzkCFIyFztSfwcjrwC2juvJfRGbF2dWresisVeGspEMJP37UvCQzO3ETVg2p 66H+g906qqu0aZYo8fPNcSCeWZk1ZjvA9TB54aAmUYbMr51BE+m+I1pKQSiJYsrc3Qf5 NkqXrCAi3JQDkeLW6fb6zlIokbmMt9eMKPXK6ei4bRADgy0en4cfEfE7rmtMy0hWaBD1 kan33x0z/B9Zn11P5sPiX4/ArEuzS+Rn8VudSM3JGPBVVpupYbJ36nykVPKc5KPd0grY vFSA==
X-Gm-Message-State: ALyK8tKDis5ACfMqxH0SqczFMlPdjjFUyLyLrtrArGjw83cWRqvuAnCst/+RZbFnFPmE6Q==
X-Received: by 10.98.8.69 with SMTP id c66mr11472333pfd.47.1464243364159; Wed, 25 May 2016 23:16:04 -0700 (PDT)
Received: from Melindas-MacBook-Pro.local (69-161-3-30-radius.dynamic.acsalaska.net. [69.161.3.30]) by smtp.googlemail.com with ESMTPSA id uw2sm17153789pac.10.2016.05.25.23.16.01 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 25 May 2016 23:16:03 -0700 (PDT)
From: Melinda Shore <melinda.shore@gmail.com>
To: draft-ietf-geojson.all@ietf.org, iesg@ietf.org, secdir@ietf.org
Message-ID: <2f7b562b-3455-3518-c933-12aeb6a3957a@gmail.com>
Date: Wed, 25 May 2016 22:15:07 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Pp8iU79s0mcfJdSYMco8FnlOfMI>
Subject: [secdir] secdir review of draft-ietf-geojson-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 May 2016 06:16:41 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

(note: I was assigned the -02 revision of the document, but the -03
version was just issued and I am reviewing that).

Summary: this document is ready, with minor issues

This document describes a JSON format for representing geospatial
data.  It recommends a single coordinate reference system and does
not appear to be readily extensible to other coordinate reference
systems, but I'll assume that this has been addressed and resolved
by the responsible AD, etc. if it's actually a problem.

The security considerations section is brief and refers the reader
to the core JSON specification.  The second paragraph of the
security considerations sections may have minor issues in that it
says "if sensitive data requires privacy or integrity protection the
service must be provided externally."  It may be appropriate, and
provide additional clarity, to distinguish between protection of
data in flight and data at rest (the IETF does not typically deal
with protection of the latter).  It may be sufficient to make the
word "externally" go away and replace it with something more specific -
for example,
     "if sensitive data require privacy or integrity protection
     those must be provided by the transport, for example TLS or
     HTTPS."

Otherwise, looks ready.

Melinda