[secdir] Secdir review of draft-ietf-scim-use-cases
Magnus Nyström <magnusn@gmail.com> Mon, 06 April 2015 01:51 UTC
Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6764A1AD061 for <secdir@ietfa.amsl.com>; Sun, 5 Apr 2015 18:51:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.2
X-Spam-Level:
X-Spam-Status: No, score=0.2 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IVKJiJoNlCDN for <secdir@ietfa.amsl.com>; Sun, 5 Apr 2015 18:51:06 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D58CB1AD05F for <secdir@ietf.org>; Sun, 5 Apr 2015 18:51:05 -0700 (PDT)
Received: by widdi4 with SMTP id di4so18562282wid.0 for <secdir@ietf.org>; Sun, 05 Apr 2015 18:51:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=GdxvMqnc03ydda5EqWvD+E3lnGdoQcbhSHBOqXSmhUE=; b=SrYMd0zEyDDMU/NW6znSVOWalSd3PlyQ46zkAngQXtxP8H5TqdIBcr8Hj/1VBgAp26 dV2EQTmrDnfW2WFmIh3rIXdz174EXO0bQs7gQlGWLJbSpERsPkXlt5d1JTxcoa+ggTXb OkQ+ZiKuygxC5X0fe0Z3pgmw6xGJ7lbK6HY7jskSndJI5oEiQnhi0sVvK1FdMpzbhrbO o5mP9tA1osBcVaJUfBsdoRFTa0H+3YMOuh31syPJXoB88azpHXIciz60S7cNV3EMew88 zc+Vr/7/+6ksARud3tFO/hIA8wIcBbQ+xxSlFiuMpa2Gh6VBSdjIW+zvX0qQiEo8fFh9 M9ww==
MIME-Version: 1.0
X-Received: by 10.180.103.136 with SMTP id fw8mr54184329wib.46.1428285064681; Sun, 05 Apr 2015 18:51:04 -0700 (PDT)
Received: by 10.180.46.131 with HTTP; Sun, 5 Apr 2015 18:51:04 -0700 (PDT)
Date: Sun, 05 Apr 2015 18:51:04 -0700
Message-ID: <CADajj4ZnkjwQtZPqASTHqNvzgkDn_tVJKYiJqjAKyVujZP73DA@mail.gmail.com>
From: Magnus Nyström <magnusn@gmail.com>
To: "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-scim-use-cases@tools.ietf.org
Content-Type: multipart/alternative; boundary="f46d04430446eb1e3505130487e3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/TQlUK98Bq4aeWW1jIlqt1_c1AJg>
Subject: [secdir] Secdir review of draft-ietf-scim-use-cases
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 01:51:07 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This memo describes the "System for Cross-domain Identity Management (SCIM)." SCIM is a companion document to the SCIM Schema memo and the SCIM Protocol memo. Section 3.5: Shouldn't there also be a requirement for the secure transfer of attributes between A and B based on matters such as A trusting authentication results from B, a means to provide those authentication results securely to B, etc.? Essentially similar to what was presented in Section 3.3? Section 3.6: Similar comment as for Section 3.5. There seems to be general security requirements missing for these two scenarios? Section 4: I only glanced the Security Consideration sections referenced here, but they do seem adequate, and given that I don't see that this memo's Security Consideration section need to contain more information. Editorial suggestion: "only authenticated entity" -> "only authenticated entities". -- Magnus
- [secdir] Secdir review of draft-ietf-scim-use-cas… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-scim-use… Kepeng Li