Re: [secdir] Secdir review of draft-ietf-mile-enum-reference-format-10

"Adam W. Montville" <adam.w.montville@gmail.com> Fri, 12 December 2014 17:15 UTC

Return-Path: <adam.w.montville@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B22C71A1BAA; Fri, 12 Dec 2014 09:15:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HGQhRvjJltq8; Fri, 12 Dec 2014 09:15:37 -0800 (PST)
Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB1191A6FBE; Fri, 12 Dec 2014 09:15:36 -0800 (PST)
Received: by mail-ob0-f182.google.com with SMTP id wo20so9122507obc.13 for <multiple recipients>; Fri, 12 Dec 2014 09:15:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=EEIaENm6yJIOWBbCBrv03oIzjU/IjeiHC4ZY9d1mVy0=; b=CzQJqhTZ8MGMWOQn5Ep6xVIl9rS9yoVUJBvw8Oot3uCm2gpJOsIOhTsDC9ZFczUKaL LYzioO+hrkE7MZNRwwvtI0JixhAJimImH0cEg/LNIL/6952pKNFyfauGGvdhZKx/9I+i N0GjxGMs0K5A+bAZMslK2cG05mcT7xhTKJK52ajYp5cvWXZZv5b36RxOYartcOPygn4S Ug8kzTQxpqy3H97A/GdwN1eoklbWnBId9oXeSXqZ2uUTMmbA1bZKDc6Qp0gbqFElAHkO DX+lC98lk81/EvzcspESe/DLMz10NyP7prZ7YUxRocpXskDmJuc6qvBqsvLPamRi6HrX vaog==
X-Received: by 10.60.67.7 with SMTP id j7mr7417487oet.80.1418404536145; Fri, 12 Dec 2014 09:15:36 -0800 (PST)
Received: from ?IPv6:2602:306:3406:4f00:1111:5e16:86f:8e4d? ([2602:306:3406:4f00:1111:5e16:86f:8e4d]) by mx.google.com with ESMTPSA id rh7sm787096oeb.0.2014.12.12.09.15.34 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 12 Dec 2014 09:15:35 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: "Adam W. Montville" <adam.w.montville@gmail.com>
In-Reply-To: <C72CBD9FE3CA604887B1B3F1D145D05EA9DEAB78@nkgeml507-mbs.china.huawei.com>
Date: Fri, 12 Dec 2014 11:15:33 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <6A8E604C-DC8C-410E-A2F4-79B401FD0515@gmail.com>
References: <6BAB7B9A-1A70-4957-ADC2-1836F22A4219@cisco.com> <C72CBD9FE3CA604887B1B3F1D145D05EA9DEAB78@nkgeml507-mbs.china.huawei.com>
To: "Zhangdacheng (Dacheng)" <zhangdacheng@huawei.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/ppw7Y8Es8nNHpZCr7XnjEmAF608
Cc: The IESG <iesg@ietf.org>, "draft-ietf-mile-enum-reference-format.all@tools.ietf.org" <draft-ietf-mile-enum-reference-format.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-mile-enum-reference-format-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Dec 2014 17:15:40 -0000

Hi Dacheng,

Thank you for your review…responses inline.

Adam

> On Dec 9, 2014, at 9:50 PM, Zhangdacheng (Dacheng) <zhangdacheng@huawei.com> wrote:
> 
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
> 
> This document is establishing a container for publicly available enumeration values to be included in an IODEF [IODEF] document. Several questions about the proposed solution are listed as follows. 
> 1)	In this specification, a given enumeration is uniquely identified by the specIndex attribute. However the usage of ID is not clearly introduced. In the security consideration section, it is mentioned that the miss-match between the index and the ID may cause problem. Could you please give me some clues?

The enumeration specification is identified, so that the ID expressed in a given IODEF (note v2 not v1) is understood.  The ID is a reference to a set of further information to be acquired through other means.  As an example, discovered vulnerabilities are often given a Common Vulnerability Enumeration (CVE) identifier.  This ID would be in the <iodef:enum:ID> element, and the specification for that ID’s format is what is pointed to by the IANA registry.  


> 2)	Where is section 2.2?

Good catch, thank you.

> 3)	In the abstract, it is stated that "This memo establishes a stand-alone data format to include both the external specification and specific enumeration value,. However, I didn't find the specific enumeration value in the example provided in Section 2.1:
> "      <iodef:Reference>
>         <iodef-enum:ReferenceName specIndex="1">
>            <iodef-enum:ID>CXI-1234-XYZ</iodef-enum:ID>
>         </iodef-enum:ReferenceName>
>         <iodef:URL>http://cxi.example.com</iodef:URL>
>         <iodef:Description>Foo</iodef:Description>
>      </iodef:Reference>
> “

That sentence should probably read (emphasis added): This memo establishes a stand-alone data format to include both the external specification and specific enumeration *identification* value.

> Cheers
> 
> Dacheng
> 
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview