[secdir] secdir review of draft-ietf-precis-problem-statement-08

"Scott G. Kelly" <scott@hyperthought.com> Thu, 18 October 2012 12:51 UTC

Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1AF3B21F87DB for <secdir@ietfa.amsl.com>; Thu, 18 Oct 2012 05:51:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id yuGXWErOVzHQ for <secdir@ietfa.amsl.com>; Thu, 18 Oct 2012 05:51:04 -0700 (PDT)
Received: from smtp152.iad.emailsrvr.com (smtp152.iad.emailsrvr.com []) by ietfa.amsl.com (Postfix) with ESMTP id 88DEE21F87D8 for <secdir@ietf.org>; Thu, 18 Oct 2012 05:51:04 -0700 (PDT)
Received: from localhost (localhost.localdomain []) by smtp45.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id E954017817F; Thu, 18 Oct 2012 08:51:03 -0400 (EDT)
X-Virus-Scanned: OK
Received: from legacy31.wa-web.iad1a (legacy31.wa-web.iad1a.rsapps.net []) by smtp45.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id C834517813E; Thu, 18 Oct 2012 08:51:03 -0400 (EDT)
Received: from hyperthought.com (localhost []) by legacy31.wa-web.iad1a (Postfix) with ESMTP id B881C1D4A325; Thu, 18 Oct 2012 08:51:03 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Thu, 18 Oct 2012 05:51:03 -0700 (PDT)
Date: Thu, 18 Oct 2012 05:51:03 -0700 (PDT)
From: "Scott G. Kelly" <scott@hyperthought.com>
To: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-precis-problem-statement.all@tools.ietf.org
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
Message-ID: <1350564663.7544355@apps.rackspace.com>
X-Mailer: webmail7.0
Subject: [secdir] secdir review of draft-ietf-precis-problem-statement-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2012 12:51:05 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This is a problem statement document that describes issues and considerations for development of a replacement for Stringprep (RFC3454). It is intended for publication as an Informational RFC. 

Here is the entirety of the Security Considerations section:

   This document merely states what problems are to be solved, and does
   not define a protocol.  There are undoubtedly security implications
   of the particular results that will come from the work to be

When I first saw this, I thought it seemed reasonable. Then I went to the RFC editor page and searched for "problem statement". I looked at the first 4 in the list (6707, 6646, 6606, and 6567), and they each have considerably more in the security considerations section. They talk about the security-related problems to be solved without recommending specific solutions (which seems appropriate for a problem statement). They stay at a high level, but they do discuss security issues to be addressed, and if these documents were reviewed by this group prior to publication, they presumably do so completely. 

This document should probably do the same.