[secdir] Secdir review of draft-ietf-mile-rfc6046-bis-05
Leif Johansson <leifj@sunet.se> Tue, 17 January 2012 12:39 UTC
Return-Path: <leifj@sunet.se>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60F1721F85E4; Tue, 17 Jan 2012 04:39:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g7M0JBkdjrSd; Tue, 17 Jan 2012 04:39:42 -0800 (PST)
Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id 4881421F85DF; Tue, 17 Jan 2012 04:39:42 -0800 (PST)
Received: from [192.36.125.231] (dhcp.pilsnet.sunet.se [192.36.125.231] (may be forged)) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id q0HCdZm8012011 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 17 Jan 2012 13:39:39 +0100 (CET)
Message-ID: <4F156C07.5000200@sunet.se>
Date: Tue, 17 Jan 2012 13:39:35 +0100
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: secdir@ietf.org, draft-ietf-mile-rfc6046-bis.all@tools.ietf.org, iesg@ietf.org
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [secdir] Secdir review of draft-ietf-mile-rfc6046-bis-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2012 12:39:43 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.
These document updates RFC6046 - Transport of Real-time Internetwork
Defense (RID) Messages over HTTP/TLS
This document defines HTTP/TLS as a transport for RID/IODEF messages
and is part of a joint update of RFC6046 and RFC6045.
In general I find the document clearly written. I have only a few
comments
- - The text on PKI requirements from RFC6045bis should be more clearly
and consistently referenced in RFC6046bis. In particular I found the
following somewhat confusing:
"At minimum, each RID system MUST trust a set of X.509
Issuer identities ("Certificate Authorities") [RFC5280] to directly
authenticate RID system peers with which it is willing to exchange
information, and/or a specific white list of X.509 Subject identities
of RID system peers."
Does the "directly" mean that there should be no intermediary CAs? I
would move any discussion on the nature of the PKI beast to RFC6045bis
and reference it from here.
- - The RID-Callback-Token is underspecified, or I'm missing a reference
to where its defined.
I would have liked to see ABNF (yes I know its very simple), the
semantics for how the peer should act when receiving a callback token
(which may have expired, not point to anything useful, etc etc) some
advice on how to generate the tokens and a discussion (in the security
considerations!) on what can happen if you screw up and introduce
collisions.
Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8VbAcACgkQ8Jx8FtbMZncXtQCdH6EXyJxECGipAYbiSQvXSj8L
KxcAoKMQWwNgCubVfHR98jbhzOJPYrgQ
=KK6r
-----END PGP SIGNATURE-----
- [secdir] Secdir review of draft-ietf-mile-rfc6046… Leif Johansson