[secdir] SECDIR Review of draft-nottingham-rfc7320bis-02
Donald Eastlake <d3e3e3@gmail.com> Sat, 14 December 2019 18:02 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC7F8120046; Sat, 14 Dec 2019 10:02:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jUfX52ehJ8N; Sat, 14 Dec 2019 10:02:37 -0800 (PST)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3E6C12004F; Sat, 14 Dec 2019 10:02:36 -0800 (PST)
Received: by mail-io1-xd2b.google.com with SMTP id v18so1905853iol.2; Sat, 14 Dec 2019 10:02:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=480vtdoP3CdZIv+SML28HrwC0u2tYd4VyUGJ5k9O078=; b=FAYGoWTTPDbu/Q5qAC8YKvHLahD4FD6e7cjCdL2xyrNr8G4/gDioa9qzbgsQFfYllC yQZVyREYB14tNvAQ6JHRMVaiL9BtCJsZKBlI9NgoSU38X99qw23V3LJyIfa6qz93U9nx TrJhcZRcNRGmzmkpUJQ3Ccr7WMo8QQ89trYbmToHMJKbQvx31im3gdixQ4id5KxRX+uI nrgRAb6UxCttfRfxhJDGd9/vfu5/CfiIEzCrZ2kckZiRv4P8OTrJur13e+KAYzWsRDE1 ssMpmRJeEIe9H/v04KmP5DL8dtP3NRbkhIw8ITVrVB262mHsntx/s6xeMm7ot65pLVK2 CLeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=480vtdoP3CdZIv+SML28HrwC0u2tYd4VyUGJ5k9O078=; b=BBS1iAMyWRC8z6hGTtSgJ0G60hfq1XvTVi5kPAAvlLiga8rdsWr3M92hlnmPE40IBD 88QTgiHcoHAodggCMo83FtYpY7CDlJLhZD38d4v0eq2cvYc3dfVgqILMlmq3sd3bPJli RXJAY+/4e/xVB+JInhukD0d5/RnSVJkYaU5m0SWDKjmxUgj0yNYX4Ste1MjCnudKvacz HqrP47L4igH4PdEoHAA6CC6ay3xkCsz4BK5ncfaXnWInZqybwYNpJA/P8KQi4zXv0qaq Iifpgad1Jm96rdt0MMC4Of7vobVMBwYhlZ0DWTeJFop6lrYWUagceNRHNLzCOlYJPJCi 4HJw==
X-Gm-Message-State: APjAAAVx1nGxRCIFHw01jJRj6IvYzXjYYy/aFPXuDviaVrZidTIBq1im aRK5h/sNTA2kN7+O+KxfvgTkRqVjte5/vZJuAHwqZwEh
X-Google-Smtp-Source: APXvYqwmFHPolU6SX2Dww8IqNop1OVuhJUgYUhJeefTCAvDjwRMyD6MlMxsCnwRw7OOzREzRs5kt3or82FY2S4vgX2c=
X-Received: by 2002:a5e:d50a:: with SMTP id e10mr12727795iom.83.1576346555627; Sat, 14 Dec 2019 10:02:35 -0800 (PST)
MIME-Version: 1.0
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Sat, 14 Dec 2019 13:02:24 -0500
Message-ID: <CAF4+nEH7EbC2X9hoGGKSVzmEjgMaiVxt5w5+_6zxV99KJyv8Cw@mail.gmail.com>
To: draft-nottingham-rfc7320bis.all@ietf.org
Cc: secdir <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007dbdf70599adc82d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/miVkGG5AlRRT8AOGYVHTtop7muo>
Subject: [secdir] SECDIR Review of draft-nottingham-rfc7320bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Dec 2019 18:02:38 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with Nits. This draft looks fine from a security point of view. I agree with the Security Considerations that the draft prohibits some URI specification practices that could lead to security problems. However, maybe I was being dense, but I found it pretty hard to grasp the details of exactly what the draft was saying. No doubt someone who lives in the world of URIs all the time would have had an easier time. Nevertheless, I think the draft would be vastly improved by adding 10 to 20 examples showing URIs that are both good and bad rather than having only descriptive text of what were good and bad practices. At least I think that would make it much easier for me to have understood and reduced, perhaps to one, the number of times I needed to read the draft to feel that I really understood it. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com
- [secdir] SECDIR Review of draft-nottingham-rfc732… Donald Eastlake