[secdir] sec-dir review of draft-pechanec-pkcs11uri-16

Derek Atkins <derek@ihtfp.com> Fri, 26 December 2014 18:23 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5FF9C1A9129; Fri, 26 Dec 2014 10:23:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.289
X-Spam-Status: No, score=-1.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_ORG=0.611] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 1B4w823jMEgu; Fri, 26 Dec 2014 10:23:32 -0800 (PST)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 352E91A9128; Fri, 26 Dec 2014 10:23:32 -0800 (PST)
Received: from localhost (localhost []) by mail2.ihtfp.org (Postfix) with ESMTP id 76090E2035; Fri, 26 Dec 2014 13:23:29 -0500 (EST)
Received: from mail2.ihtfp.org ([]) by localhost (mail2.ihtfp.org []) (amavisd-maia, port 10024) with ESMTP id 20758-09; Fri, 26 Dec 2014 13:23:26 -0500 (EST)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 4905FE2034; Fri, 26 Dec 2014 13:23:26 -0500 (EST)
Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id sBQINOOE023953; Fri, 26 Dec 2014 13:23:24 -0500
From: Derek Atkins <derek@ihtfp.com>
To: iesg@ietf.org, secdir@ietf.org
Date: Fri, 26 Dec 2014 13:23:24 -0500
Message-ID: <sjmoaqqtgmb.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/gRSdW0Y6y5KvVVRFC3ek1XeurJI
Cc: Darren.Moffat@Oracle.COM, Jan.Pechanec@Oracle.COM
Subject: [secdir] sec-dir review of draft-pechanec-pkcs11uri-16
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Dec 2014 18:23:33 -0000


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written with the intent of improving
security requirements and considerations in IETF drafts.  Comments
not addressed in last call may be included in AD reviews during the
IESG review.  Document editors and WG chairs should treat these
comments just like any other last call comments.

I believe this document has no issues.

Editorial comments:

In section 1:

   A subset of existing PKCS#11 structure members and object attributes
   was chosen believed to be sufficient in uniquely identifying a
   PKCS#11 token, storage object, or library in a configuration file, on

This sentence is not just long but also awkward.  The phrase "was
chosen believed to be.." seems to be missing a conjunction and
possibly a verb.  Maybe this was meant to be two sentences that got
smushed together?

In section 3.3:

   PKCS#11 specification imposes various limitations on the value of
   attributes, be it a more restrictive character set for the "serial"

I think you need to start this sentence with an article, i.e. "The
PKCS#11 specification imposes..."

(I'll note that I did not validate the ABNF).


       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant