[secdir] SECDIR Review of draft-ietf-repute-model-08

Donald Eastlake <d3e3e3@gmail.com> Wed, 04 September 2013 02:37 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E021521E8094; Tue, 3 Sep 2013 19:37:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.276
X-Spam-Level:
X-Spam-Status: No, score=-102.276 tagged_above=-999 required=5 tests=[AWL=0.324, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VCIpYP71mUO; Tue, 3 Sep 2013 19:37:17 -0700 (PDT)
Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id A8E3B21F99E8; Tue, 3 Sep 2013 19:37:14 -0700 (PDT)
Received: by mail-ob0-f182.google.com with SMTP id wo10so6642286obc.41 for <multiple recipients>; Tue, 03 Sep 2013 19:37:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=jWAYRDZGPddPMZd9vEYlMDGwE6bWyKfPO1l52PzDY6U=; b=m1dVNtVqTnpq0fs3m6lO5X9e0ZC9ltq9iiQnqt0bLqlprIN8BbCzEj9hSVNZ9jNc1y iA5PpDRKd8iMNBFrXjWbROu2hbYzOtEnHQ5qfbP4mahd+gD0ZbBn5e0U0gKjsgDj3lkV NSma4Z0cNkeOyp6vi18XnZ3vkYx2Sh+HSxpDrSagjrrk0ogwAsDhZqRXTm2Hp7vW7v0M 1csTwImCCi22Bz6HUGAJ+43jP+QX2oLLgNLpbMJpJJDGY4dGrF7AvndEoIWl9nAfFXXr LlgCSCGxuV8S9jmFHJFY19SE9NHtAbDF73eCe1HP8PMy6CSF6rTzJoITUwEXDOH3RJQj 9slA==
X-Received: by 10.182.113.195 with SMTP id ja3mr394580obb.46.1378262234233; Tue, 03 Sep 2013 19:37:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.76.131.7 with HTTP; Tue, 3 Sep 2013 19:36:54 -0700 (PDT)
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Tue, 03 Sep 2013 22:36:54 -0400
Message-ID: <CAF4+nEGS6e=YVjRu5gfixyEsLku0sfU88N=zaonG0bACDxNrFQ@mail.gmail.com>
To: "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-repute-model.all@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: [secdir] SECDIR Review of draft-ietf-repute-model-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2013 02:37:18 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  Document editors and WG chairs should treat these comments just
like any other last call comments.

The Security Consideration section of this draft is fine, considering
how high-level this document is, but I think there are some problems
in the rest of the document as indicated below.

This high-level document describes a general architecture for a
reputation-based service and a model for requesting reputation-related
data over the Internet.

Minor Problems:

Section 1:
  The last sentence of the first paragraph could be read to imply that
lack of authentication is the primary cause of spam. In this era of
botnets, I don't think that's true. Perhaps "... leads to spam,
phishing, and other attacks." should say "... makes spam, phishing,
and other attacks even easier than they would otherwise be." or
something like that.

Section 4.1.1:
  My guess is that the values of a "Rating" are floating point in the
range 0.0 to 1.0 but it doesn't actually say that... If so, why isn't
the example "1.0" said to indicate "exact agreement" or the like
instead of "strong agreement"? Would 2.0 indicate "very strong
agreement".

Section 4.2:
  It appears that "Reputon" and "Response Set" are the same thing. Is
that true? If so, my personal opinion is that, while the word
"Reputon" may be cute, it should just be tossed as superfluous.

Section 5:
  This section seems in some ways like the heart of the document but
is also seems a bit blurry. Even at a high level, I would think that
there could be an explicit cardinality associated with these bullet
items. That is, it should say for each (or for all in the case it is
the same for all of them) if they can be omitted, whether or not they
must occur at least once, and if they can occur multiple times.
  Is "application context" the same as what quality is being rated? I
would think not. For example, couldn't the application be "restaurant
recommendation" and then couldn't there be, say, four ratings, one for
food quality, one for price, one for decor, and one for service? If
so, why isn't what the rating measures an additional bullet item or
part of the rating score item? On the other hand, the rating score
item says "overall rating score" implying there can only be one...

Section 6:
  Suddenly, in this section, for the first time, we have the
capitalized word "Target". Why isn't this defined in Section 4 on
terminology and definitions? I suppose it means something like the
pair of identity of the entity being rated and the application
context?

Trivia:

Section 1:
  In paragraph 3 the definition of "reputation" uses the word
"estimation" in an uncommon way that might confuse some readers. I
think it could use something like the word "esteem" instead. The word
"opinion" could also be used but would require minor corresponding
changes. This occurs within quoted text that looks like it is copied
from somewhere else. If so, shouldn't that source be referenced?

Section3:
  The Figure 1 footer should be on the same page as the figure.

Section 4.1:
  In the last sentence of the 2nd paragraph at the end of page 7, I
would strongly prefer "specify" to "define" but that might be a
personal quirk.