[secdir] SECDIR Review of draft-ietf-pcp-description-option-02
Phillip Hallam-Baker <hallam@gmail.com> Fri, 15 November 2013 00:56 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1112A21E808A for <secdir@ietfa.amsl.com>; Thu, 14 Nov 2013 16:56:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.506
X-Spam-Level:
X-Spam-Status: No, score=-2.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VqsH7l4A7d0 for <secdir@ietfa.amsl.com>; Thu, 14 Nov 2013 16:56:52 -0800 (PST)
Received: from mail-la0-x233.google.com (mail-la0-x233.google.com [IPv6:2a00:1450:4010:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id E6B4621E809F for <secdir@ietf.org>; Thu, 14 Nov 2013 16:56:50 -0800 (PST)
Received: by mail-la0-f51.google.com with SMTP id ec20so2237433lab.38 for <secdir@ietf.org>; Thu, 14 Nov 2013 16:56:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=8PAxeDnyquxtb/nbODCgRAEKL+9FplkuVakvVRHgElU=; b=m69LXxsueTsFFFVqxpUCVL7YXdr9rG8ZNVtH5s9iLu7jzoFHgImkSDwPNZjUVfWvrg uSigXa+bY4upkWsEt/qAZCk10LSceffnxnGS7HJuxnpYo1IhI7Q3LI/CC8u9aQGvWuYa 6AgTXvX3YN1jqI6SaaqPGWGBOyXpZGgvNF8utw9eCR8KhEE3NdHgU8ktBddmBqWHOLCn lAghy9dMX8kkwaRU10fnSKiKqmmVzyDRPPLItAVSC+DKr3gznSrfBDyAmYzrWo51oP+O cGTah9s4MKNtWuPwjiCvKr4vFA3f6C7IkK5NVhMEPWxhKGvqtoJ/TvsHvsHAEeYg76WA jr0w==
MIME-Version: 1.0
X-Received: by 10.112.168.170 with SMTP id zx10mr2251682lbb.0.1384477009627; Thu, 14 Nov 2013 16:56:49 -0800 (PST)
Received: by 10.112.46.98 with HTTP; Thu, 14 Nov 2013 16:56:49 -0800 (PST)
Date: Thu, 14 Nov 2013 19:56:49 -0500
Message-ID: <CAMm+LwgtbcWxLJ6t_12NqOx2tAqMJNAEFc57Pqh=imrH44Fx9A@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-pcp-description-option@tools.ietf.org
Content-Type: multipart/alternative; boundary="001a11c23c885bce8304eb2cac32"
Subject: [secdir] SECDIR Review of draft-ietf-pcp-description-option-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Nov 2013 00:56:56 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document adds a 'description' option to the PCP protocol. The description does not have defined semantics in PCP. As such the Security Considerations relies on the considerations in the PCP specification. This seems ill advised to me. Even though the field has no semantics in PCP it is essentially the equivalent of a TXT RR in the DNS, possibly the most over-used and abused RR in the DNS protocol. If the description option is added then people are going to start using it to define site local semantics unless there is some other mechanism for that purpose. I suggest that the draft authors either add a description of how to use the PCP mechanisms for this purpose (if applicable) or describe a mechanism to support this use and preferably providing some sort of protection against collisions. Such a mechanism needs to consider the authenticity of the data provided and the risk that it might disclose data to another application. -- Website: http://hallambaker.com/
- [secdir] SECDIR Review of draft-ietf-pcp-descript… Phillip Hallam-Baker
- Re: [secdir] SECDIR Review of draft-ietf-pcp-desc… mohamed.boucadair
- Re: [secdir] SECDIR Review of draft-ietf-pcp-desc… Reinaldo Penno (repenno)
- Re: [secdir] SECDIR Review of draft-ietf-pcp-desc… Phillip Hallam-Baker
- Re: [secdir] SECDIR Review of draft-ietf-pcp-desc… Reinaldo Penno (repenno)
- Re: [secdir] SECDIR Review of draft-ietf-pcp-desc… Reinaldo Penno (repenno)