[secdir] Secdir last call review of draft-wilde-sunset-header-07

Joseph Salowey <joe@salowey.net> Sun, 18 November 2018 23:57 UTC

Return-Path: <joe@salowey.net>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D67E7126BED; Sun, 18 Nov 2018 15:57:12 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Joseph Salowey <joe@salowey.net>
To: <secdir@ietf.org>
Cc: draft-wilde-sunset-header.all@ietf.org, iesg@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.88.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <154258543276.2473.3583674797158875383@ietfa.amsl.com>
Date: Sun, 18 Nov 2018 15:57:12 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/WbqGfSw__NIbjol5Qh_pj8LXU_g>
Subject: [secdir] Secdir last call review of draft-wilde-sunset-header-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Nov 2018 23:57:13 -0000

Reviewer: Joseph Salowey
Review result: Has Issues

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document has some minor issues.

Security considerations - in addition to Jari's comment of lifetime may be
sensitive I have concerns about linked resource.  For example, the link may
refer to another site which could compromise privacy or security if the link
was followed.  The linked resource seems under-defined, which might lead to
security issues if implementations make assumptions about the content of the
link.