Last Call Review of draft-hollenbeck-rfc4930bis-

Request Review of draft-hollenbeck-rfc4930bis
Requested rev. no specific revision (document currently at 02)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2009-07-14
Requested 2009-05-19
Authors Scott Hollenbeck
Draft last updated 2009-07-18
Completed reviews Secdir Last Call review of -?? by Catherine Meadows
Assignment Reviewer Catherine Meadows
State Completed
Review review-hollenbeck-rfc4930bis-secdir-lc-meadows-2009-07-18
Review completed: 2009-07-18


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Note:  I recently submitted a review of draft-hollenbeck-rfc4933bis-02.  That was a mistake on my part; that was not the document I was supposed to review.

Sandy Murphy is down for reviewing that one.  I am supposed to review this one.  This document is the update of the based specification of  EPP, and so is related to rfc4933bis-02.

I've also had some discussion with Sandy about the issue she raised with respect to draft-hollenbeck-rfc4933bis-02.  That is actually what I first thought it was:  EPP only does a weak form of authentication.

So it depends on strong authentication done at the transport level or application level.  However there is nothing in the document that I can see

that says that the EPP ID must match the transport ID.  Thus, if it is relying on the

authentication being done at the transport level, there appears to be nothing to prevent the transport level channel being replaced by another one at some point.  I am not enough of an expert on EPP

to make a definite recommendation as to how or whether this needs to be addressed, but I feel that this is something that needs to be brought to the attention of the IESG and discussed in the next telechat.   If the

issue does need to be addressed, rfc4930bis is the place where it should be handled. 


Catherine Meadows

Naval Research Laboratory

Code 5543

4555 Overlook Ave., S.W.

Washington DC, 20375

phone: 202-767-3490

fax: 202-404-7942


catherine.meadows at