Re: [secdir] secdir review of draft-sparks-genarea-review-tracker-02

Robert Sparks <rjsparks@nostrum.com> Fri, 07 August 2015 22:15 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97C881A1F73; Fri, 7 Aug 2015 15:15:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QZn4Lewki7JS; Fri, 7 Aug 2015 15:15:25 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E07611A2130; Fri, 7 Aug 2015 15:11:57 -0700 (PDT)
Received: from unnumerable.local (pool-71-170-237-80.dllstx.fios.verizon.net [71.170.237.80]) (authenticated bits=0) by nostrum.com (8.15.2/8.14.9) with ESMTPSA id t77MBugA078662 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=OK); Fri, 7 Aug 2015 17:11:57 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host pool-71-170-237-80.dllstx.fios.verizon.net [71.170.237.80] claimed to be unnumerable.local
Message-ID: <55C52D27.40506@nostrum.com>
Date: Fri, 07 Aug 2015 17:11:51 -0500
From: Robert Sparks <rjsparks@nostrum.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Steve.Hanna@infineon.com, iesg@ietf.org, secdir@ietf.org, draft-sparks-genarea-review-tracker.all@tools.ietf.org
References: <5cb15db2a1654207ab98ae1b77657ba9@MUCSE609.infineon.com>
In-Reply-To: <5cb15db2a1654207ab98ae1b77657ba9@MUCSE609.infineon.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/XbYr4bJUWGN82lXkRcza9V98P8w>
Subject: Re: [secdir] secdir review of draft-sparks-genarea-review-tracker-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2015 22:15:26 -0000

Thanks Steve - comments inline.

On 8/6/15 7:07 PM, Steve.Hanna@infineon.com wrote:
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
>
> This document provides requirements for improving the tools used to manage team document reviews in IETF. These tools are be used for managing secdir reviews, for example. If you want to get a peek at the next generation of these tools, peruse the document. It looks fine to me and Tero was one of the authors so I expect that he's fine with it.
>
> This document is Ready With Nits. The nits are included below.
>
> Thanks,
>
> Steve
>
> ------------------
>
> * The second bullet on page 7 refers to "the above bullet" but it is not clear which bullet is intended.
I changed "above" to "immediately preceding". That will likely cause 
arguments later about whether "immediately" is redundant, but it is less 
ambiguous than "above".
>
> * In the fourth bullet on page 9, "must be able easily" should be "must be able to easily".
fixed - thanks
>
> * In the eighth bullet on page 9, "that have" should be "that they have".
again - fixed  - thanks
>
> * The last sentence in the Security Considerations section seems a bit flippant. It currently reads "None of these [authentication and authorization considerations] have been identified as non-obvious." Although I don't have any material problems with this analysis, I wouldn't want to see other documents taking such a nonchalant approach to security. Instead of that sentence, I suggest "None of these have been identified as differing from the considerations relevant to the existing datatracker."
I'm sad to hear it came across as flippant.
I think it's accurate and sufficient for the circumstance, and I don't 
think anyone would successfully use it as precedence when more 
discussion is really warranted.
But, when an experienced reviewer hangs on something like this, it's a 
signal that change would make things better.
I'm not sure trying to pass laterally to what's implicitly understood 
about the datatracker avoids the precedent concern you raise.
So, what do you think about the section with that sentence simple 
removed? Would that have caught your eye differently?

(I'll drop a revision with it removed - if it, or a substitution, needs 
to come back, we can work it in during IESG eval.)
>