[secdir] review of draft-ietf-kitten-gssapi-naming-exts

"Dan Harkins" <dharkins@lounge.org> Tue, 20 July 2010 17:09 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 748283A68EA; Tue, 20 Jul 2010 10:09:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.265
X-Spam-Level:
X-Spam-Status: No, score=-6.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGqCGSsBLfNb; Tue, 20 Jul 2010 10:09:18 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id B33C93A6832; Tue, 20 Jul 2010 10:09:18 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 4B525A888112; Tue, 20 Jul 2010 10:09:34 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 20 Jul 2010 10:09:34 -0700 (PDT)
Message-ID: <105c695af5c310908100f0f35b45fe2d.squirrel@www.trepanning.net>
Date: Tue, 20 Jul 2010 10:09:34 -0700 (PDT)
From: "Dan Harkins" <dharkins@lounge.org>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-kitten-gssapi-naming-exts.all@tools.ietf.org
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: [secdir] review of draft-ietf-kitten-gssapi-naming-exts
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jul 2010 17:09:19 -0000

  Hello,

  I have reviewed draft-ietf-kitten-gssapi-naming-exts as part of the
security directorate's ongoing effort to review all IETF documents being
processed by the IESG. These comments were written primarily for the
benefit of the security area directors. Document editors and WG chairs
should treat these comments just like any other last call comments.

  This draft extends the GSS-API naming model to include support for
"name attributes". This support can be used by an application to make
authorization decisions. I found no problems in the draft that the
ADs should take special note of.

  The draft is well-written and introduces and uses terminology well,
with one nit. It introduces terms with certain marking and then uses
them either without the marking (which is fine) or with some other
marking. For instance, "An attribute is 'authenticated' iff...." and
then the concept of an authenticated attribute is used without the
single quote. But sometimes attributes "MUST be represented as
*authenticated* GSS-API name attributes named using the _same_ OID
mapped to a URN." OK, so what's the significance of the asterisks now?
And the underscore? I found no value in these marks and suggest removing
them. If the authors intend for the marks to convey some meaning then
perhaps a Notations section is in order.

  One last nit: Section 6.2.1 refers to "(see comment above)" which should
be "(see Section 5)".

  regards,

  Dan.