[secdir] Secdir review of draft-ietf-xmpp-websocket-07

<magnusn@gmail.com> Thu, 03 July 2014 16:42 UTC

Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23E721B2A67; Thu, 3 Jul 2014 09:42:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1GGsnJERFuZi; Thu, 3 Jul 2014 09:42:31 -0700 (PDT)
Received: from mail-pa0-x22a.google.com (mail-pa0-x22a.google.com [IPv6:2607:f8b0:400e:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06F291B2A22; Thu, 3 Jul 2014 09:42:31 -0700 (PDT)
Received: by mail-pa0-f42.google.com with SMTP id lj1so507344pab.1 for <multiple recipients>; Thu, 03 Jul 2014 09:42:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:mime-version:from:to:cc:subject:importance:date :in-reply-to:references:content-type; bh=SggN4OZeNzTg4pHKbvF+fX1kZtQ86xzt7EDJJmS28Mw=; b=eJv6C+EpQ+tVKKbq6GrlGupr2f2kt/AQqy8rxt0/xfrhnblb8AFmamSA3IDbdZkDf0 E6XyCDqagr5YgEdljxSa9JNAp3K2+2A4qsobdtlE9f4JRg+iAtGpe5aEf6T/6mTOplms L+tPNgqJQmp8SC65AMxVpTyV/Nqi6Hnf3KQ0vd2nj8gsm1etjc14kGEc7aDTnWW/yYfI ujGxVoxGeCmC6cs/kY9HuGm0WYUbyGTRsRx+TSbogsJZG0Bv1hkdQZlBmCTqR47eCYHE tRBt/uG2qtbajNnLBhWn+xNIVQBMFg+KPkp4FyVAiVSSr8DL1J7R/QpnCnLCSt572iKm PJ+Q==
X-Received: by 10.68.241.68 with SMTP id wg4mr5941619pbc.66.1404405750636; Thu, 03 Jul 2014 09:42:30 -0700 (PDT)
Received: from MAGNUSDevbox2.ntdev.corp.microsoft.com ([2001:4898:80e0:ee43::4]) by mx.google.com with ESMTPSA id no9sm41524542pbc.83.2014.07.03.09.42.28 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 03 Jul 2014 09:42:29 -0700 (PDT)
Message-ID: <53b587f5.09d5440a.44eb.2126@mx.google.com>
MIME-Version: 1.0
From: <magnusn@gmail.com>
To: "=?utf-8?Q?secdir@ietf.org?=" <secdir@ietf.org>, "=?utf-8?Q?draft-ietf-xmpp-websocket@tools.ietf.org?=" <draft-ietf-xmpp-websocket@tools.ietf.org>
Importance: Normal
Date: Thu, 3 Jul 2014 16:39:08 +0000
In-Reply-To: <CADajj4YJVxE8fh1iuZQ0qTPGrvnF_N_ywYBsouifN2jv-UqJZQ@mail.gmail.com>
References: <CADajj4YJVxE8fh1iuZQ0qTPGrvnF_N_ywYBsouifN2jv-UqJZQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="_8DA0322D-C687-4EC2-9294-6A96D48C1B59_"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/Qp8Tj0EMjEDDjs9G9aNs-HE9i-Q
Cc: "=?utf-8?Q?iesg@ietf.org?=" <iesg@ietf.org>
Subject: [secdir] =?utf-8?q?Secdir_review_of_draft-ietf-xmpp-websocket-07?=
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2014 16:42:32 -0000




I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

 

This document defines web sockets as a transport protocol for XMPP.  The Sec Cons sections looks adequate to me. One editorial question on Section 3.9:

Should

“when TLS is used, it MUST be enabled the WebSocket layer ” have read “when TLS is used, it MUST be enabled at the WebSocket layer ”

?







Thanks,

-- Magnus