[secdir] Review of draft-ietf-repute-query-http-09
Shawn M Emery <shawn.emery@oracle.com> Thu, 22 August 2013 04:00 UTC
Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA4D711E81CE for <secdir@ietfa.amsl.com>; Wed, 21 Aug 2013 21:00:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5bPAFUt0vtvV for <secdir@ietfa.amsl.com>; Wed, 21 Aug 2013 20:59:54 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id AB3C311E811D for <secdir@ietf.org>; Wed, 21 Aug 2013 20:59:54 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7M3xoSa032285 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 22 Aug 2013 03:59:51 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7M3xo28021304 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 22 Aug 2013 03:59:50 GMT
Received: from abhmt119.oracle.com (abhmt119.oracle.com [141.146.116.71]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7M3xoGC021292; Thu, 22 Aug 2013 03:59:50 GMT
Received: from [10.159.82.82] (/10.159.82.82) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 21 Aug 2013 20:59:49 -0700
Message-ID: <52158CF5.4050001@oracle.com>
Date: Wed, 21 Aug 2013 22:00:53 -0600
From: Shawn M Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:17.0) Gecko/20130718 Thunderbird/17.0.6
MIME-Version: 1.0
To: secdir@ietf.org
References: <51CAA254.6040303@oracle.com>
In-Reply-To: <51CAA254.6040303@oracle.com>
X-Forwarded-Message-Id: <51CAA254.6040303@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: draft-ietf-repute-query-http.all@tools.ietf.org
Subject: [secdir] Review of draft-ietf-repute-query-http-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 04:00:02 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This internet-draft describes a protocol for querying reputation data via HTTP. The first part of the protocol retrieves a template that will subsequently be used as the basis for a URI, which in turn is used to retrieve the reputation information. The security considerations section does exist and acknowledges that the base protocol for retrieving URIs is insecure as well as the retrieval of reputation data. The section refers to the URI template and well-known URI RFCs for further discussions of template exchange security issues and makes an informative reference to the repute considerations draft for the reputation retrieval. However, none of the referenced RFCs and draft directly talk about the various attacks and how to mitigate against said attacks. I would suggest a direct reference if such a document exists. General comments: None. Editorial comments: s/comprise the/comprise of the/ s/explicitly support support/explicitly support/ s/until finds one/until the client finds one/ Shawn. --
- [secdir] Review of draft-ietf-mpls-tp-identifiers… Shawn Emery
- [secdir] Review of draft-ietf-sidr-ghostbusters-14 Shawn Emery
- [secdir] Review of draft-ietf-rtgwg-lfa-applicabi… Shawn Emery
- Re: [secdir] Review of draft-ietf-rtgwg-lfa-appli… Stewart Bryant
- [secdir] Review of draft-ietf-manet-smf-13 Shawn Emery
- Re: [secdir] Review of draft-ietf-manet-smf-13 Joe Macker
- [secdir] Review of draft-ietf-conex-concepts-uses… Shawn Emery
- [secdir] Review of draft-melnikov-smtp-priority-t… Shawn Emery
- Re: [secdir] Review of draft-melnikov-smtp-priori… Alexey Melnikov
- [secdir] Review of draft-ietf-dnsop-rfc4641bis-12 Shawn Emery
- Re: [secdir] Review of draft-ietf-dnsop-rfc4641bi… Matthijs Mekking
- Re: [secdir] Review of draft-ietf-dnsop-rfc4641bi… Shawn Emery
- [secdir] Review of draft-ietf-karp-ospf-analysis-… Shawn Emery
- [secdir] Review of draft-ietf-oauth-assertions-09 Shawn Emery
- Re: [secdir] Review of draft-ietf-oauth-assertion… Shawn Emery
- [secdir] Review of draft-ietf-dhc-dhcpv6-client-l… Shawn Emery
- Re: [secdir] Review of draft-ietf-dhc-dhcpv6-clie… Gaurav Halwasia (ghalwasi)
- [secdir] Review of draft-ietf-netmod-interfaces-c… Shawn Emery
- Re: [secdir] Review of draft-ietf-netmod-interfac… Martin Bjorklund
- Re: [secdir] Review of draft-ietf-netmod-interfac… Benoit Claise
- Re: [secdir] Review of draft-ietf-netmod-interfac… Shawn Emery
- [secdir] Review of draft-ietf-xrblock-rtcp-xr-jb-… Shawn M Emery
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-xr… Qin Wu
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-xr… Gonzalo Camarillo
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-xr… Donald Eastlake
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-xr… Gonzalo Camarillo
- [secdir] Review of draft-ietf-repute-query-http-09 Shawn M Emery
- Re: [secdir] Review of draft-ietf-repute-query-ht… Shawn M Emery
- Re: [secdir] Review of draft-ietf-repute-query-ht… Uri Blumenthal
- Re: [secdir] Review of draft-ietf-repute-query-ht… Dave Crocker
- Re: [secdir] Review of draft-ietf-repute-query-ht… Murray S. Kucherawy
- Re: [secdir] Review of draft-ietf-repute-query-ht… Shawn M Emery
- [secdir] Review of draft-ietf-tictoc-security-req… Shawn M Emery
- Re: [secdir] Review of draft-ietf-tictoc-security… Tal Mizrahi
- [secdir] Review of draft-ietf-cdni-requirements-13 Shawn M Emery
- Re: [secdir] Review of draft-ietf-cdni-requiremen… Kent Leung (kleung)
- [secdir] Review of draft-ietf-isis-rfc6326bis-01 Shawn M Emery
- [secdir] Review of draft-ietf-tcpm-fastopen-08 Shawn M Emery
- Re: [secdir] Review of draft-ietf-tcpm-fastopen-08 Scharf, Michael (Michael)
- [secdir] Review of draft-ietf-hip-rfc5202-bis-05 Shawn M Emery