[secdir] SECDIR review of draft-giralt-schac-ns

Chris Lonvick <clonvick@cisco.com> Thu, 31 December 2009 04:34 UTC

Return-Path: <clonvick@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A81FF3A6A76; Wed, 30 Dec 2009 20:34:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zPRRrSHwtz5Y; Wed, 30 Dec 2009 20:34:08 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id AA6813A67C0; Wed, 30 Dec 2009 20:34:08 -0800 (PST)
Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApsFAEy4O0urRN+J/2dsb2JhbACPdgGxDZRngiOCDgSBaItM
X-IronPort-AV: E=Sophos;i="4.47,479,1257120000"; d="scan'208";a="459101650"
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-6.cisco.com with ESMTP; 31 Dec 2009 04:33:48 +0000
Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id nBV4Xmoe027301; Thu, 31 Dec 2009 04:33:48 GMT
Date: Wed, 30 Dec 2009 20:33:48 -0800 (PST)
From: Chris Lonvick <clonvick@cisco.com>
To: iesg@ietf.org, secdir@ietf.org, victoriano@uma.es, r.mcduff@uq.edu.au, Lisa Dusseault <lisa.dusseault@gmail.com>
Message-ID: <Pine.GSO.4.63.0912301730060.23658@sjc-cde-011.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: secdir-secretary@mit.edu
Subject: [secdir] SECDIR review of draft-giralt-schac-ns
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2009 04:34:09 -0000

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

First off, can we get the status of the document straightened out?  The 
document says that it's STANDARDS TRACK but idtracker says that it's 
INFORMATIONAL.

The only security concern I have is that the registration URN is not yet 
active and that it is limited to HTTPS.  While I think it is still going 
to take some time for this ID to become an RFC, I'd just like to see the 
web site set up sooner rather than later so the kinks may be ironed out. 
Beyond that, I think that it would be better to state that it will always 
be a "secure web site" which will offer credentials signed by such-n-such, 
and will require the latest secure methods for accessing a web site; that 
currently being http [reference] with the latest TLS transport 
[reference].  My issue with this is that "https" can still reference SSLv2 
and I don't think that's the intent of the statement in this ID.

I don't have any concerns about the Security Considerations section other 
than the statement about using "HTTPS" as noted above.

I do have a few nits that the authors may want to address.

The terms TERENA and TF-EMC2 are used without first defining them.  Maybe 
some changes in Section 1.
CURRENT:
    The SCHAC international activity was born inside the TF-EMC2
    middleware task force of the Trans European Research and Education
    Network Association.  The initial aim of SCHAC was to harmonise the
PROPOSED:
    The SCHAC international activity was born inside the TF-EMC2 (Task
    Force on European Middleware Coordination and Collaboration)
    of the Trans European Research and Education Network Association
    (TERENA).  The initial aim of SCHAC was to harmonise the...

I think that the second paragraph of the Abstract could use some 
polishing.
CURRENT:
    This namespace is for naming persistent resources defined by the
    SCHAC international activity participants, their working groups and
    other designated subordinates.  The namespace main use will be the
    creation of controlled vocabulary values for attributes in the SCHAC
    schema.  This values will be associated to particular instances of
    persons or objects belonging to any of the SCHAC object classes.
SUGGESTED:
    The namespace described in this document is for naming persistent
    resources defined by the SCHAC participants internationally, their
    working groups, and other designated subordinates.  The main use of
    this namespace will be for the creation of controlled vocabulary values
    for attributes in the SCHAC schema.  These values will be associated
    with particular instances of persons or objects belonging to any of the
    SCHAC object classes.

In Section 4, the word "Anyhow" is ambiguous.  I'd suggest replacing it 
with a more definite word such as "Regardless", or with the term "In any 
case".

In Section 5, the term "NREN" is not defined before it is used.  I'd 
suggest:
CURRENT:
    The assignment and use of identifiers within the namespace are open,
    and the related rule is established by the SCHAC activity members.
    Registration agencies (the next level naming authorities) will be the
    National Research and Education Networks and established
    organizational cross-border organizations that participate in SCHAC.
SUGGESTED:
    The assignment and use of identifiers within the namespace are open,
    and the related rule is established by the SCHAC activity members.
    Registration agencies (the next level naming authorities) will be the
    National Research and Education Networks (NRENS) and other established,
    cross-border organizations that participate in SCHAC.

In the third paragraph of Section 5, remove the term "as soon as 
practical".  ...just get it done.  :-)

Could you add a URL to reference [4]?

Best regards,
Chris