[secdir] Secdir review of draft-ietf-drinks-spp-framework

Paul Hoffman <paul.hoffman@vpnc.org> Sun, 19 August 2012 01:18 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2E5221F84CD; Sat, 18 Aug 2012 18:18:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.579
X-Spam-Level:
X-Spam-Status: No, score=-102.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMXbSEMge7Xw; Sat, 18 Aug 2012 18:18:58 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 39C3321F84CE; Sat, 18 Aug 2012 18:18:58 -0700 (PDT)
Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q7J1ItuG093132 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 18 Aug 2012 18:18:56 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Sat, 18 Aug 2012 18:18:55 -0700
Message-Id: <14DB90CC-BF75-4EBC-8348-29E85D678DDE@vpnc.org>
To: drinks@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1485\))
X-Mailer: Apple Mail (2.1485)
Cc: secdir <secdir@ietf.org>
Subject: [secdir] Secdir review of draft-ietf-drinks-spp-framework
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Aug 2012 01:18:59 -0000

Greetings. I have been requested to review draft-ietf-drinks-spp-framework for the Security Directorate. This review is being done during WG Last Call instead of IETF Last Call as a special request. I note that literally no one has spoken up in the WG during WG Last Call since it began three weeks ago.

SPPF is a protocol for provisioning session establishment data into data registries and SIP service providers. Well, actually it's not. It is a description of the data format and some handwaving about how to transport that data. The mandatory-to-implement transport is listed in a different document, draft-ietf-drinks-spp-protocol-over-soap (for which there is no reference in this document...).

The transport protocol requirements listed in section 4 of this document are fairly generic, as are the security requirements. The descriptions of the transport requirements are fine. The security requirements are not so great: while servers MUST be able to authenticate clients, confidentiality and integrity protection SHOULD be provided. Given that the mandatory-to implement transport is SOAP, this approximately translates to "must do some sort or minimal client authentication, should consider using TLS but lots of clients and servers probably won't actually do it". I think that undershoots moderns security practices, which would have TLS be mandatory.

Even though this is a security review, I cannot resist a non-security question: SOAP? In 2012? Really? <sigh>

--Paul Hoffman