[secdir] Secdir review of draft-ietf-nsis-y1541-qosm-09
Brian Weis <BEW@cisco.com> Mon, 01 February 2010 23:33 UTC
Return-Path: <BEW@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE36328C163; Mon, 1 Feb 2010 15:33:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.474
X-Spam-Level:
X-Spam-Status: No, score=-9.474 tagged_above=-999 required=5 tests=[AWL=1.125, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id saAV0vySa4s8; Mon, 1 Feb 2010 15:33:42 -0800 (PST)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id C514828C0E2; Mon, 1 Feb 2010 15:33:13 -0800 (PST)
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAMLzZkurRN+K/2dsb2JhbADCdJdChEUE
X-IronPort-AV: E=Sophos;i="4.49,386,1262563200"; d="scan'208";a="143943526"
Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-5.cisco.com with ESMTP; 01 Feb 2010 23:33:45 +0000
Received: from dhcp-128-107-163-125.cisco.com (dhcp-128-107-163-125.cisco.com [128.107.163.125]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o11NXjnk016592; Mon, 1 Feb 2010 23:33:45 GMT
Message-Id: <D4D8B03D-B694-4393-A7AC-DF50315D592B@cisco.com>
From: Brian Weis <BEW@cisco.com>
To: secdir@ietf.org, iesg@ietf.org
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 01 Feb 2010 15:33:43 -0800
X-Mailer: Apple Mail (2.936)
Cc: nsis-chairs@tools.ietf.org, draft-ietf-nsis-y1541-qosm@tools.ietf.org
Subject: [secdir] Secdir review of draft-ietf-nsis-y1541-qosm-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2010 23:33:43 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines additional NSIS QSPEC objects, fitting into the NSIS QSPEC framework. This document simply adds new objects to that framework. While there are many security considerations to the use of the QSPEC framework, they seem to be covered by the reference to draft- ietf-nsis-qspec-24. The new objects do not inherently add any additional risks other than the ones mentioned. I believe the current Security Considerations text is sufficient. However, I did notice the following nits that the authors should address: 1. Section 3.1 introduces a QSPEC extension (Figure 1) without actually saying which protocol is being extended. This is very confusing for a reader not familiar with NSIS. It needs to name that protocol. (I see that Russ Housley has a current DISCUSS making this same comment.) 2. Section 4.4 refers to "the example given in Section 4.4 of [I- D.ietf-nsis-qspec]". Is that the right section? It discusses extensibility of QSPEC, but there's no example. 3. Reference [Y.1221] has "Y.1541" in its title rather than "Y.1221". 4. Reference [Y.2172] has "Y.1540" in its title rather than "Y.2172".