[secdir] secdir review of draft-ietf-dime-rfc3588bis-25
"Carl Wallace" <CWallace@cygnacom.com> Wed, 24 November 2010 18:58 UTC
Return-Path: <CWallace@cygnacom.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 94B4C3A697E; Wed, 24 Nov 2010 10:58:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1C2BKkJkC6Fc; Wed, 24 Nov 2010 10:58:17 -0800 (PST)
Received: from mail75.messagelabs.com (mail75.messagelabs.com [216.82.250.3]) by core3.amsl.com (Postfix) with SMTP id 28E1A3A6944; Wed, 24 Nov 2010 10:58:17 -0800 (PST)
X-VirusChecked: Checked
X-Env-Sender: CWallace@cygnacom.com
X-Msg-Ref: server-8.tower-75.messagelabs.com!1290625155!106478554!1
X-StarScan-Version: 6.2.9; banners=-,-,-
X-Originating-IP: [65.242.48.8]
Received: (qmail 18452 invoked from network); 24 Nov 2010 18:59:16 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (65.242.48.8) by server-8.tower-75.messagelabs.com with SMTP; 24 Nov 2010 18:59:16 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CB8C09.B021AA0B"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Wed, 24 Nov 2010 13:59:13 -0500
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D48011D49ED@scygexch1.cygnacom.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: secdir review of draft-ietf-dime-rfc3588bis-25
Thread-Index: AcuMCUtS7iwykT0kT0GDC8IqMHmmbQ==
From: Carl Wallace <CWallace@cygnacom.com>
To: secdir@ietf.org, iesg@ietf.org, ietf@ietf.org
Cc: john.loughney@nokia.com, vf0213@gmail.com, jari.arkko@ericsson.com
Subject: [secdir] secdir review of draft-ietf-dime-rfc3588bis-25
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Nov 2010 18:58:18 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This is a fairly long document and my review has been conducted in chunks, answers to some of the questions may be apparent on a subsequent reading. My primary concern is with authorization of nodes. Comments, questions and a few nits are below: - Section 2.1 should state TLS usage requires mutual authentication. At present, this is not mentioned until section 13. - In 2.6, there appears to be a stray sentence fragment: "Additional security information, when needed (e.g., keys, certificates)". Suggest adding a sentence two beneath if this is another item in the list. - In section 2.9, authorization checks are mandated but no mechanisms are defined. How is authorization performed? Is this related to the authorization checks described in 2.9? - What does this mean: "the domain name in the SRV query and the domain name in the target in the SRV record MUST both be valid based on the same site certificate"? - Should expand CA acronym in 5.2. - In 5.2, including OIDs in a certificate is not a useful authorization mechanism unless those values are processed across the path from the trust anchor to the server certificate (or there are some restrictions on the nature of the path or trust anchor store). What OIDs are meant here, extended key usage or certificate policy OIDs? - In 13.2, Are trust anchor stores per realm? If not how will relays be able to determine how to use authorization information? - May want to reference RFC 5280 to ensure full path validation (including revocation status determination) is performed. - In 5.1, the first bullet correlates to the state table in section 5.6. The second bullet does not. Should it? - Is the deprecation in 6.10 worth a SHOULD NOT? - The security considerations should include some words describing the consequences of inappropriately authenticating or authorizing a diameter node. - Should relays, agents etc. be required to authenticate to clients with the same identity used to authenticate to servers?
- [secdir] secdir review of draft-ietf-dime-rfc3588… Carl Wallace