Re: [secdir] Secdir review of draft-ietf-geopriv-uncertainty-03

Martin Thomson <> Tue, 07 October 2014 21:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A21511A8877; Tue, 7 Oct 2014 14:19:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id b3ZcHC-Fy__q; Tue, 7 Oct 2014 14:19:01 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c04::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 299C61A884B; Tue, 7 Oct 2014 14:19:00 -0700 (PDT)
Received: by with SMTP id l4so6802842lbv.26 for <multiple recipients>; Tue, 07 Oct 2014 14:18:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rcyshBUlcHmjsosOrYl46guIThjSTKq4WH/OqlbY3cg=; b=L6rw91DCOXGjtAMdI2ESCC4CNVeed6Ant+5Dr84DqGzmhznOmH2CmORaQg2YOeBo9C 6evKjTQNiHjmEN7LnrfKgPnI+gR+p1y5iBKQaZt+snwsJa/YZrrXniz41g0AUvO3HaMv FyX8HHLB+eMez6r3X8zuI5yaZmbzufitUtlz2dzgCvli9eUT/PSbk2b3AQ9oXlT8p05c ELZ+lvITRua53BnxHPWf6hyZb3QA959U0UWrTpwfsarsPDRxQySuRbVzhpz+JEeQmB9B V2D4fA4/htDHnxvE0bQ8ekRONYsx6E0GCwUW5lLB+9WHQGQCg5lDx4bWQzIHrCOcAF9Z dVeA==
MIME-Version: 1.0
X-Received: by with SMTP id ay18mr6954396lab.92.1412716739360; Tue, 07 Oct 2014 14:18:59 -0700 (PDT)
Received: by with HTTP; Tue, 7 Oct 2014 14:18:59 -0700 (PDT)
In-Reply-To: <0e2601cfe210$7a2da6c0$6e88f440$>
References: <0e2601cfe210$7a2da6c0$6e88f440$>
Date: Tue, 07 Oct 2014 14:18:59 -0700
Message-ID: <>
From: Martin Thomson <>
To: Takeshi Takahashi <>
Content-Type: text/plain; charset="UTF-8"
X-Mailman-Approved-At: Tue, 07 Oct 2014 14:21:36 -0700
Cc: "" <>,, The IESG <>,
Subject: Re: [secdir] Secdir review of draft-ietf-geopriv-uncertainty-03
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Oct 2014 21:19:05 -0000

Thanks for the review,

The draft is, as you note, in two pieces.  However, when I took this
to the working group in two parts, the overwhelming consensus there
was to merge the documents.  As a result, it becomes standards track
with large informational sections.  The normative parts are small, and
so the use of 2119 language is also restricted.

As for your concerns about security, the general issue of altering
parts of an object is only a concern if you have partial integrity
mechanisms.  The security considerations of RFC 4119 cover a lot of
that (the use of S/MIME for confidentiality and integrity, for

On 7 October 2014 02:24, Takeshi Takahashi <> wrote:
> Hello,
> I have reviewed current version of this document as part of the security
> directorate's ongoing effort to review all IETF documents being processed by
> the IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat these
> comments just like any other last call comments.
> This draft provides lots of information on how to handle uncertainty and
> confidence.
> It also defines a schema for describing confidence information.
> I believe this document is very helpful for readers.
> It outlines assorted techniques in a very clear way.
> I think this draft is almost ready, but I have clarification questions as
> follows.
> 1. standards track (std), or informational?
> I am not sure what would be the criteria for being a std RFC, but I feel
> like that this draft talks as if it is an informational draft.
> I do not mean that I object to make it as a std rfc, but clarification is
> appreciated.
> A std RFC specifies the interfaces that communication parties need to
> follow, IMHO.
> The RFC 3863 and 5139 is std RFCs since they define data format/schema each
> communication party needs to follow.
> The RFC 3693, which this draft is updating, is an informational RFC and
> provides lots of useful knowledge, but it does not force anything to
> communication parties.
> How is the case of this draft?
> I know that the draft specifies a schema for the confidence information, but
> I feel like this is rather smaller part of the issues discussed in this
> draft.
> It talks about schemes to handle uncertainty, but it does not define a
> single scheme to handle uncertainty. (It outlines several techniques, but
> implementers need to consider which techniques to use, and they can
> implement different techniques, IMHO.)
> To sum up, I would appreciate if you could clarify why the draft is in the
> std rfc.
> 2. why this document is not split into two documents?
> This is related to the issue 1.
> Here are my understanding of the sections.
> Section 7 defines the confidence schema.
> I understood that this document normatively defines this schema and
> implementers need to follow this schema.
> On the other hand, sections 2 - 5 provides helpful information, but the
> draft does not mandate implementers to do anything.
> I have understood that implementers can use arbitrary techniques (including
> the techniques introduced in this document) to handle uncertainty.
> I wonder whether it would have been easier to have separate drafts for the
> issues; i.e., the content described in section 7 goes to std RFC while the
> rest goes to another informational rfc.
> 3. content in sections 2-5
> Thank you for your elaboration.
> This is very helpful to get knowledge on the uncertainty manipulation.
> If this document goes to a std RFC, I would expect to see sentences such as
> "SHOULD/MUST/is recommended to use the techniques to handle uncertainty", in
> these sections.
> 4. security considerations
> If the confidence information is maliciously altered, does it cause trouble
> to the information receiver?
> (I think the RFC 4119 (and RFC 3694) does not address the need to protect
> confidence information.)
> Information sender sents a location information with high confidence value,
> but the information receiver received the information with falsified low
> confidence value.
> I guess this could hinder some decision making of the information receiver
> in some case.
> So, I think it would be safer to say something like that we should implement
> schemes to protect the values that is defined outside the scope of this
> draft, etc.
> Kind regards,
> Take
> ---
> Takeshi Takahashi, Ph.D.,
> Senior Researcher at the National Institute of Information and
> Communications Technology, Japan