Last Call Review of draft-farrell-perpass-attack-03
review-farrell-perpass-attack-03-genart-lc-brim-2014-01-02-00

Request Review of draft-farrell-perpass-attack
Requested rev. no specific revision (document currently at 06)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2013-12-31
Requested 2013-12-05
Other Reviews Genart Last Call review of -04 by Scott Brim (diff)
Genart Telechat review of -05 by Scott Brim (diff)
Secdir Last Call review of -02 by Adam Montville (diff)
Opsdir Last Call review of -03 by Dan Romascanu (diff)
Review State Completed
Reviewer Scott Brim
Review review-farrell-perpass-attack-03-genart-lc-brim-2014-01-02
Posted at http://www.ietf.org/mail-archive/web/gen-art/current/msg09508.html
Reviewed rev. 03 (document currently at 06)
Review result Ready with Nits
Draft last updated 2014-01-02
Review completed: 2014-01-02

Review
review-farrell-perpass-attack-03-genart-lc-brim-2014-01-02

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at

<

http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-farrell-perpass-attack-03
Reviewer: Scott Brim
Review Date: 2013-12-28
IETF LC End Date: 2013-12-31
IESG Telechat date: 2014-01-23

Summary: Ready for BCP, with one minor issue and some nits

Major issues:

Minor issues:

  We've spent a lot of time on this draft and it looks good. I have one
  remaining minor issue:

  > Participants at that meeting
  > therefore expressed strong agreement that this was an attack that

  This is inconsistent with later text that says some monitoring is not an
  attack. To avoid inconsistency, I suggest adding a few words, e.g.:
  "this can only be treated as an attack", or "this should be treated as
  an attack" instead of just "this was an attack".

Nits/editorial comments:

  > protocol meta-data such as headers

  I've never seen metadata hyphenated before. Please fix.

  > The same techniques can be used
  > regardless of motivation and we cannot defend against the most
  > nefarious actors while allowing monitoring by other actors no matter
  > how benevolent some might consider them to be

  In order to make the justification clear, I suggest

    (1) change "can be used" to "are used" -- they already are, and
    that's significant.

    (2) In the middle, add another justifying clause: "motivation, and
    since we cannot distinguish motive, we cannot defend" ...

  > Protocols that mitigate
  > pervasive monitoring will not prevent the attack

  Add "necessarily": ... not necessarily prevent ...

  > It is nonetheless timely to revisit the security of our standards.

  s/nonetheless/thus/ since you gave the justifications above.
  "Nonetheless" doesn't make sense here.

  > monitoring in the case of Certificate Transparency.  [RFC6962] There

  Reference is in the wrong place.

Thanks for all the work ... Scott