[secdir] Secdir last call review of draft-kille-ldap-xmpp-schema-02
Yoav Nir <email@example.com> Fri, 08 September 2017 21:25 UTC
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A545A124E15; Fri, 8 Sep 2017 14:25:12 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
From: Yoav Nir <firstname.lastname@example.org>
Cc: email@example.com, firstname.lastname@example.org
Date: Fri, 08 Sep 2017 14:25:12 -0700
Subject: [secdir] Secdir last call review of draft-kille-ldap-xmpp-schema-02
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:email@example.com?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:firstname.lastname@example.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2017 21:25:13 -0000
Reviewer: Yoav Nir Review result: Has Nits The document defines a couple of OIDs for associating a Jabber ID with an LDAP object. As such, it is very short and straightforward. I'm not too happy with the Security Considerations section, which I'll quote here in its entirety: "This schema enables publishing for XMPP JIDs, and care should be taken to ensure that this information is not accessed inappropriately." This is rather generic, and it's true for any piece of information stored anywhere. If that is all there is to say, the section might as well read "This document only registers OIDs and has no special security considerations." However, I think there is a point that may need to be mentioned. Using this extension links a JID, which is a personal identifier that often appears on the public Internet (much like an email address), to an LDAP object, which is usually limited to an organization, usually the employer of that person. This linkability only exists for people who have access to the LDAP server, so it's just that users have to take the same care with JIDs that they do with email addresses - if you don't want your XMPP messages linked to your employer, or linked to you by your employer, it is better to use a private JID that is not linked to your employer's LDAP. This advice to users may be out of scope, but I would like to see a mention that JIDs are generally public and pseudonymous, and this links them to a real person within an LDAP domain.