Re: [secdir] review of draft-ietf-kitten-gssapi-naming-exts

Leif Johansson <leifj@sunet.se> Tue, 20 July 2010 19:14 UTC

Return-Path: <leifj@sunet.se>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 470BA3A6BF7; Tue, 20 Jul 2010 12:14:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQNt4QsKOvtZ; Tue, 20 Jul 2010 12:14:17 -0700 (PDT)
Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by core3.amsl.com (Postfix) with ESMTP id 5AD723A6934; Tue, 20 Jul 2010 12:14:15 -0700 (PDT)
Received: from [10.0.0.11] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id o6KJERfc009648 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Jul 2010 21:14:29 +0200 (CEST)
Message-ID: <4C45F593.5030609@sunet.se>
Date: Tue, 20 Jul 2010 21:14:27 +0200
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9pre) Gecko/20100217 Lightning/1.0b1 Shredder/3.0.3pre
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
References: <105c695af5c310908100f0f35b45fe2d.squirrel@www.trepanning.net>
In-Reply-To: <105c695af5c310908100f0f35b45fe2d.squirrel@www.trepanning.net>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 20 Jul 2010 12:26:15 -0700
Cc: draft-ietf-kitten-gssapi-naming-exts.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] review of draft-ietf-kitten-gssapi-naming-exts
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jul 2010 19:14:23 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/20/2010 07:09 PM, Dan Harkins wrote:
> 
>   Hello,
> 
>   I have reviewed draft-ietf-kitten-gssapi-naming-exts as part of the
> security directorate's ongoing effort to review all IETF documents being
> processed by the IESG. These comments were written primarily for the
> benefit of the security area directors. Document editors and WG chairs
> should treat these comments just like any other last call comments.
> 
>   This draft extends the GSS-API naming model to include support for
> "name attributes". This support can be used by an application to make
> authorization decisions. I found no problems in the draft that the
> ADs should take special note of.
> 
>   The draft is well-written and introduces and uses terminology well,
> with one nit. It introduces terms with certain marking and then uses
> them either without the marking (which is fine) or with some other
> marking. For instance, "An attribute is 'authenticated' iff...." and
> then the concept of an authenticated attribute is used without the
> single quote. But sometimes attributes "MUST be represented as
> *authenticated* GSS-API name attributes named using the _same_ OID
> mapped to a URN." OK, so what's the significance of the asterisks now?
> And the underscore? I found no value in these marks and suggest removing
> them. If the authors intend for the marks to convey some meaning then
> perhaps a Notations section is in order.
> 
>   One last nit: Section 6.2.1 refers to "(see comment above)" which should
> be "(see Section 5)".
> 
>   regards,
> 
>   Dan.


Thanks for the review Dan! Your comments are very valuable and I intend
to update the document accordingly.

	Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxF9Y8ACgkQ8Jx8FtbMZnevFQCeKE18nQdJhrEHvM+37x4fpppw
rFcAoJK65i6pCv9/0RsEj0KMl2orPUHm
=5nVY
-----END PGP SIGNATURE-----