IETF Logo Mail Archive

Re: [secdir] Secdir review: draft-ietf-mile-rfc6045-bis-05

<kathleen.moriarty@emc.com> Mon, 16 January 2012 13:55 UTC

Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56D3021F85DA; Mon, 16 Jan 2012 05:55:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.516
X-Spam-Level:
X-Spam-Status: No, score=-6.516 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ueeZ-GhYH92z; Mon, 16 Jan 2012 05:55:04 -0800 (PST)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by ietfa.amsl.com (Postfix) with ESMTP id 736CB21F85B8; Mon, 16 Jan 2012 05:55:04 -0800 (PST)
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q0GDsq5p029465 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Jan 2012 08:55:02 -0500
Received: from mailhub.lss.emc.com (mailhubhoprd04.lss.emc.com [10.254.222.226]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor); Mon, 16 Jan 2012 08:54:47 -0500
Received: from mxhub34.corp.emc.com (mxhub34.corp.emc.com [10.254.93.82]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q0GDsk4a019601; Mon, 16 Jan 2012 08:54:46 -0500
Received: from mx06a.corp.emc.com ([169.254.1.153]) by mxhub34.corp.emc.com ([::1]) with mapi; Mon, 16 Jan 2012 08:54:46 -0500
From: kathleen.moriarty@emc.com
To: leifj@sunet.se, secdir@ietf.org, draft-ietf-mile-rfc6045-bis.all@tools.ietf.org, iesg@ietf.org
Date: Mon, 16 Jan 2012 08:54:45 -0500
Thread-Topic: Secdir review: draft-ietf-mile-rfc6045-bis-05
Thread-Index: AczUNiTspYAh0W1uQy+8X1SNhyYRqwAH4Qdw
Message-ID: <AE31510960917D478171C79369B660FA0E2BE16DBB@MX06A.corp.emc.com>
References: <4F13F5AE.9060205@sunet.se>
In-Reply-To: <4F13F5AE.9060205@sunet.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Subject: Re: [secdir] Secdir review: draft-ietf-mile-rfc6045-bis-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2012 13:55:05 -0000

Hello Leif,

Thank you very much for the security review!

I agree with your comments on PKI and will update the draft accordingly.  I agree that keys could be shared directly or that a consortium may be the provider of keys so that there is only one PKI for the entire sharing group as an alternative to each participant having a PKI (that would be a barrier to use if it were required).

Sean Turner had provided some specific guidance on the updates RFC6045 that I have ready to go in the next revision.  This included some comments from David Harrington where they assisted with recommended text on how this should be handled.

I will clean up the use of NP/Network Provider as well.

Thank you,
Kathleen

-----Original Message-----
From: Leif Johansson [mailto:leifj@sunet.se] 
Sent: Monday, January 16, 2012 5:02 AM
To: secdir@ietf.org; draft-ietf-mile-rfc6045-bis.all@tools.ietf.org; iesg@ietf.org
Subject: Secdir review: draft-ietf-mile-rfc6045-bis-05

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these
comments just like any other last call comments.

These document updates RFC6045 - Real-time Inter-network Defence (RID)

The document defines a way to communicate IODEF objects between Service
Providers. In general I find the document well written and I especially
like the way the XML schema is described in ASCII graphics.

A few comments:

- - The term "Network Provider" is still used in parts of the document
where it might be better to be consistent with the new term "Service
Provider" (the name-change is announced in the introduction).

- - The introduction states that the document moves RFC6505 to Historic
status and also that it updates RFC6505. This is confusing to me. It
seems like this is a simple case of an update that changes the document
status (Informational -> Standards Track) and I'm not sure Historic
needs to enter into it.

- - The discussions on PKI issues and trust is quite good but I would
have liked to see an explicit mention of the fact that strong name-
key binding is the key to establishing a good trust infrastructure. The
use of PKI is strongly encouraged but for smaller consortia it would
be entirely feasible to establish the required level of trust by
manually sharing keys instead of running a PKI.

- - The security considerations section re-iterates a dependency on PKI
and PKI federations to fulfill the trust requirements of RID consortia.
However it is worth noting that very few examples of the type of PKI
federations that RID depend on, exist in the wild.

	Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8T9asACgkQ8Jx8FtbMZndm7ACfaMed3PP8yZcLCOAbvfAk6QsN
Lx8An1G/mntbsaGHJp8OQ88tgjawpx6d
=qsnU
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email