[sipcore] FW: OPS-DIR review of draft-ietf-sipcore-sec-flows-06
<david.black@emc.com> Fri, 03 December 2010 20:26 UTC
Return-Path: <david.black@emc.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C4C628C0DC for <sipcore@core3.amsl.com>; Fri, 3 Dec 2010 12:26:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6L9-KJ55prg for <sipcore@core3.amsl.com>; Fri, 3 Dec 2010 12:26:55 -0800 (PST)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by core3.amsl.com (Postfix) with ESMTP id AC22D3A6995 for <sipcore@ietf.org>; Fri, 3 Dec 2010 12:26:54 -0800 (PST)
Received: from hop04-l1d11-si04.isus.emc.com (HOP04-L1D11-SI04.isus.emc.com [10.254.111.24]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id oB3KSCmO013298 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <sipcore@ietf.org>; Fri, 3 Dec 2010 15:28:12 -0500
Received: from mailhub.lss.emc.com (mailhub.lss.emc.com [10.254.221.145]) by hop04-l1d11-si04.isus.emc.com (RSA Interceptor) for <sipcore@ietf.org>; Fri, 3 Dec 2010 15:28:05 -0500
Received: from mxhub12.corp.emc.com (mxhub12.corp.emc.com [10.254.92.107]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id oB3KR1DM019578 for <sipcore@ietf.org>; Fri, 3 Dec 2010 15:27:02 -0500
Received: from mx14a.corp.emc.com ([169.254.1.117]) by mxhub12.corp.emc.com ([10.254.92.107]) with mapi; Fri, 3 Dec 2010 15:27:01 -0500
From: david.black@emc.com
To: sipcore@ietf.org
Date: Fri, 03 Dec 2010 15:27:00 -0500
Thread-Topic: OPS-DIR review of draft-ietf-sipcore-sec-flows-06
Thread-Index: AcuTKDK1i/d95a1XQqSssN6UvLh23QAACSnw
Message-ID: <7C4DFCE962635144B8FAE8CA11D0BF1E03D5B61CEA@MX14A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
X-Mailman-Approved-At: Fri, 03 Dec 2010 12:35:37 -0800
Subject: [sipcore] FW: OPS-DIR review of draft-ietf-sipcore-sec-flows-06
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2010 20:26:58 -0000
From: Black, David Sent: Friday, December 03, 2010 3:25 PM To: Cullen Jennings; kumiko@cs.columbia.edu; rjsparks@estacado.net; brian@estacado.net; 'ops-dir@ietf.org' Cc: Black, David; Adam Roach; Paul Kyzivat Subject: OPS-DIR review of draft-ietf-sipcore-sec-flows-06 I have performed an Operations Directorate review of draft-ietf-sipcore-sec-flows-06 Operations directorate reviews are solicited primarily to help the area directors improve their efficiency, particularly when preparing for IESG telechats, and allowing them to focus on documents requiring their attention and spend less time on the trouble-free ones. Improving the documents is important, but clearly a secondary purpose. A third purpose is to broaden the OpsDir reviewers' exposure to work going on in other parts of the IETF. Reviews from OpsDir members do not in and of themselves cause the IESG to raise issue with a document. The reviews may, however, convince individual IESG members to raise concern over a particular document requiring further discussion. The reviews, particularly those conducted in last call and earlier, may also help the document editors improve their documents. -------------- Summary: This draft is basically ready for publication, but has nits that should be fixed before publication. This draft is aimed at improving the productivity of SIP over TLS interoperability events and the interoperability of SIP over TLS implementations. As such, it's a positive contribution to network operations and management, as improved interoperability reduces operational issues that would otherwise arise. I found a few nits and have a few suggestions: The CA certificate uses a 1024-bit RSA key, whereas the host and user certificates use 2048-bit RSA keys. This results in using a 1024-bit RSA key to vouch for the validity of 2048-bit RSA keys. While acceptable for interoperability testing, this is not good operational security practice - I would suggest asking a PKIX expert (e.g., Steve Kent) for appropriate language to warn about this. At the end of Section 2.2, the Section citation from RFC 5280 is wrong. Sections 6.1 and 6.2 should be cited, instead of just Section 6.1.4. Also, the CRL checking in Section 6.3 of RFC 5280 should be added as a reference cited in the last paragraph of the security considerations section. Somewhere, probably in Section 5, a warning should be added that the certificate path validation algorithm is a complex algorithm for which *all* the details matter - there are numerous ways in which failing to precisely implement the algorithm as specified in Section 6 of RFC 5280 can create a security flaw, a simple example of which is the failure to check the expiration date that is already mentioned in Section 5. Thanks, --David ---------------------------------------------------- David L. Black, Distinguished Engineer EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 david.black@emc.com Mobile: +1 (978) 394-7754 ----------------------------------------------------