Re: [secdir] Review of draft-ietf-xcon-common-data-model-27.txt
Oscar Novo <oscar.novo@ericsson.com> Fri, 27 May 2011 12:46 UTC
Return-Path: <oscar.novo@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D86F6E07C9; Fri, 27 May 2011 05:46:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.549
X-Spam-Level:
X-Spam-Status: No, score=-6.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3lOHcmr18ina; Fri, 27 May 2011 05:46:50 -0700 (PDT)
Received: from mailgw9.se.ericsson.net (mailgw9.se.ericsson.net [193.180.251.57]) by ietfa.amsl.com (Postfix) with ESMTP id A689BE0786; Fri, 27 May 2011 05:46:49 -0700 (PDT)
X-AuditID: c1b4fb39-b7bfdae000005125-ff-4ddf9d389723
Received: from esessmw0197.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw9.se.ericsson.net (Symantec Mail Security) with SMTP id F1.69.20773.83D9FDD4; Fri, 27 May 2011 14:46:48 +0200 (CEST)
Received: from ESESSCMS0355.eemea.ericsson.se ([169.254.1.151]) by esessmw0197.eemea.ericsson.se ([153.88.115.87]) with mapi; Fri, 27 May 2011 14:46:48 +0200
From: Oscar Novo <oscar.novo@ericsson.com>
To: Tero Kivinen <kivinen@iki.fi>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Date: Fri, 27 May 2011 14:46:47 +0200
Thread-Topic: Review of draft-ietf-xcon-common-data-model-27.txt
Thread-Index: AcwcZtxeUrDOGf+5SyWl2w+gF7dnXAABEzpQ
Message-ID: <58E207308662A748A4AC1ECB4E8856140815CDED51@ESESSCMS0355.eemea.ericsson.se>
References: <19935.37953.301024.987227@fireball.kivinen.iki.fi>
In-Reply-To: <19935.37953.301024.987227@fireball.kivinen.iki.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Fri, 27 May 2011 06:34:01 -0700
Cc: "draft-ietf-xcon-common-data-model.all@tools.ietf.org" <draft-ietf-xcon-common-data-model.all@tools.ietf.org>
Subject: Re: [secdir] Review of draft-ietf-xcon-common-data-model-27.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 May 2011 12:46:51 -0000
Hi Tero, Comment inline: -----Original Message----- From: Tero Kivinen [mailto:kivinen@iki.fi] Sent: 27. toukokuuta 2011 15:09 To: iesg@ietf.org; secdir@ietf.org Cc: draft-ietf-xcon-common-data-model.all@tools.ietf.org Subject: Review of draft-ietf-xcon-common-data-model-27.txt This is re-review of the draft I already reviewed at 2011-03-03. The current draft contains some small changes done since, but I do not think it solves the issues I raised in my previous review: 1) The confidentiality is not mandatory even in the cases where the database contains sensitive elements (passwords), it is only SHOULD. [ON] In the new version of the draft (28) I have changes the text a bit: "The confidentiality of the database SHOULD be protected from unauthorized users, given that the data model contains a set of sensitive elements (e.g., passwords), and it is RECOMMENDED the database uses encryption mechanisms if the information is stored in long term storage (e.g., disk)." 2) The privacy issues is not covered enough. The current version added specific pointer to the section 11.2 of RFC5239, but that only covers one very small privacy issue, i.e. anonymous access. It does not cover gathering sensitive privacy information in the database, i.e. who participated which conferences and with whom. [ON] We don't think this document should solve questions as "who participated which conferences and with whom?". And in the working group was agree to leave the policy outside this document for future documents. My previous review can be found in http://www.ietf.org/mail-archive/web/secdir/current/msg02482.html -- kivinen@iki.fi
- [secdir] Review of draft-ietf-xcon-common-data-mo… Tero Kivinen
- Re: [secdir] Review of draft-ietf-xcon-common-dat… Tero Kivinen
- Re: [secdir] Review of draft-ietf-xcon-common-dat… Oscar Novo
- [secdir] Review of draft-ietf-pppext-trill-protoc… Paul Hoffman
- Re: [secdir] Review of draft-ietf-xcon-common-dat… Tero Kivinen