Re: [secdir] SecDir Review of draft-ietf-nfsv4-multi-domain-fs-reqs-09

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 25 August 2016 16:02 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C6E812D1DD; Thu, 25 Aug 2016 09:02:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M7sVQvhCA0CM; Thu, 25 Aug 2016 09:02:15 -0700 (PDT)
Received: from mail-yb0-x22c.google.com (mail-yb0-x22c.google.com [IPv6:2607:f8b0:4002:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A60812D0FF; Thu, 25 Aug 2016 09:02:12 -0700 (PDT)
Received: by mail-yb0-x22c.google.com with SMTP id z10so17960095ybh.2; Thu, 25 Aug 2016 09:02:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2MEv5HvN2tcFCLDIXhDDI8RSn2Maj/XGd9pD/lXyxsY=; b=yVkMqBYpkTHdJrHLvU0Uvdz2qAz8q7gVaUzwIlGT7XrefnqbUychZ+7OsekjA1v6cV 5PgQ6yrAHY5LShbFXNM6O+xPcutiVx9GknFb8qZvvPsE8Ae4irC13+wdmMu7m/Y39P15 CMfdn6e9lgPRqKyI69gyAbbOV7RxEESfNJYg6tM0PJSxaXsWkpVjdBALmNxQOB5se79A KAY2ovGDZXXmc3c73ifbkd3d/8EGZilKP1cmCqjT0hWiRQLPejfRbY0IPyZqsLWGFQvq qVCZKErIvcBbhonyz9DSDxG9KU//bsdZnJoRDUlaQJKkMGlfpV1QIJBsBdn8YgJ/bXw1 Yi3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2MEv5HvN2tcFCLDIXhDDI8RSn2Maj/XGd9pD/lXyxsY=; b=QliroB8aUkY1YLeme7lAkeLi4KfNZ1s+56tJZuSmFlG0semx+8bsKxNdA18+ouzphs vFhzSaiBFFQLbOGx9NWj2ALR42mWX5AAq4bQVreGjwfrJwrO17w20bL58wdXc9ftoWZn QeqjdponRnfHHPudqZmeuOp80eU7wv63hZHbGR7EvsiLBByITPpPkna/RBgRFBdehmtF 5fF/3Mlfbu/HtbEmAOttExI4v2RcmcxXeoeDqtDu30J0W/ZF2yyztTTAmjzLsl/m0Ikx ECMbhutEVSxj5jTDlNC1BCHAnj5vyWsCoBVWSh0ke5zdjwDR+jrkxv4pTEmwbR+QpvDR 0PVw==
X-Gm-Message-State: AEkoouvHXNqxgUo9FBlMwKqfgjAYMZYJNLMIwTL71ajq+eaWgVQrFvPLMAAbQcafLj+aq3TWImLvEluJ3ddUBA==
X-Received: by 10.37.203.88 with SMTP id b85mr7445455ybg.90.1472140931251; Thu, 25 Aug 2016 09:02:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.72.132 with HTTP; Thu, 25 Aug 2016 09:02:10 -0700 (PDT)
In-Reply-To: <E7A67E4A-103A-4DCD-A1FF-B3920B201C0D@vigilsec.com>
References: <E7A67E4A-103A-4DCD-A1FF-B3920B201C0D@vigilsec.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Thu, 25 Aug 2016 11:02:10 -0500
Message-ID: <CAKKJt-do8Ny68mr-OpGzddTcwzqkBrOjGutGY4RC7iOJ6H+7VA@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary=94eb2c05608e4446a0053ae78550
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/fUEaFcgdLFOzXv71dMWayhx5XAA>
Cc: draft-ietf-nfsv4-multi-domain-fs-reqs.all@ietf.org, IESG <iesg@ietf.org>, IETF SecDir <secdir@ietf.org>
Subject: Re: [secdir] SecDir Review of draft-ietf-nfsv4-multi-domain-fs-reqs-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 16:02:17 -0000

Hi, Russ,

Thank you for the review!

Spencer

On Thu, Aug 25, 2016 at 9:57 AM, Russ Housley <housley@vigilsec.com> wrote:

> I reviewed this document as part of the Security Directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written primarily for the benefit of the Security Area
> Directors.  Document authors, document editors, and WG chairs should
> treat these comments just like any other IETF Last Call comments.
>
> Version reviewed: draft-ietf-nfsv4-multi-domain-fs-reqs-09
>
>
> Summary: Ready
>
> Thank you for rewriting the Abstract and Introduction.  They are much
> improved.
>
>
> Major Concerns:  None.
>
>
> Minor Concerns:
>
> The first paragraph in Section 3 includes: "The issues with multi-domain
> deployments described in this document apply ...".  I do not think that
> "issues" is the right word.  To be consistent with the title of the
> document, it should be talking about guidance or deployment
> alternatives.
>
> In Section 6.2.1, it says:
>
>    Multiple security services per NFSv4 Domain is allowed, and brings
>    the issue of mapping multiple Kerberos 5 principal@REALMs to the same
>    local ID.  Methods of achieving this are beyond the scope of this
>    document.
>
> I think it would be better to use "need" instead of "issue".
>
>
> Nits:
>
> Please change "internet" to "Internet" throughout the document.
>
> In Section 2, "Stringified UID or GID" definition:  Please add "of" to
> the last sentence, so that it reads: "See Section 5.9 of [RFC5661]."
>
>