[secdir] secdir review of draft-ietf-calext-availability-03

"Dan Harkins" <dharkins@lounge.org> Mon, 11 July 2016 22:24 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64DEB12B02A; Mon, 11 Jul 2016 15:24:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rl5AODtMLnIl; Mon, 11 Jul 2016 15:24:58 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 9075F12D0AE; Mon, 11 Jul 2016 15:24:57 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 64E2F1FE02C8; Mon, 11 Jul 2016 15:24:57 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 11 Jul 2016 15:24:57 -0700 (PDT)
Message-ID: <324122b57299b6f400483a0bf581b955.squirrel@www.trepanning.net>
Date: Mon, 11 Jul 2016 15:24:57 -0700 (PDT)
From: "Dan Harkins" <dharkins@lounge.org>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-calext-availability.all@ietf.org
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/XNMK3KKNQthQOdG6-xxO2Cs_SPQ>
Subject: [secdir] secdir review of draft-ietf-calext-availability-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2016 22:24:59 -0000

  Greetings,

  I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

  This draft specifies a way to use iCalendar to publish time periods
of a person's availability and unavailability. For the record, I am
not knowledgeable of namespace requirements on the components described
in this draft so I'm just assuming that stuff is OK.

  I believe this draft is "Ready with issues". Those issues are:

  - the steps to calculate free-busy time (section 5) has a for loop
    that goes from the lowest priority entry to the highest priority
    entry. But the 2nd step says, "Determine if the 'VAVAILABILITY'
    is completely overridden by a higher priority component. If so
    ignore it." How can a higher priority component already hold that
    time if we're looping from lower priority to higher priority?

    This step seems superfluous or there's some assumption on the
    state of the calendar prior to the loop that I'm not getting.
    Please fix this or point me to the text that I missed.

  - I am very happy to see Privacy Considerations because that was the
    thing that jumped out at me when I started reading. But there are
    normative requirements in the Privacy Considerations and I feel
    those would be better placed in the appropriate sections of the
    draft that deal with that behavior. It is my feeling that Privacy
    Considerations (and Security Considerations) should consider the
    effects of the normative action described above them and not
    indicate additional normative requirements.

Other than that, publish away!

  regards,

  Dan.