Last Call Review of draft-hollenbeck-rfc4930bis-
review-hollenbeck-rfc4930bis-secdir-lc-meadows-2009-07-18-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

Note:  I recently submitted a review of draft-hollenbeck-rfc4933bis-02.  That
was a mistake on my part; that was not the document I was supposed to review.

Sandy Murphy is down for reviewing that one.  I am supposed to review this one.
 This document is the update of the based specification of  EPP, and so is
related to rfc4933bis-02.

I've also had some discussion with Sandy about the issue she raised with
respect to draft-hollenbeck-rfc4933bis-02.  That is actually what I first
thought it was:  EPP only does a weak form of authentication.

So it depends on strong authentication done at the transport level or
application level.  However there is nothing in the document that I can see

that says that the EPP ID must match the transport ID.  Thus, if it is relying
on the

authentication being done at the transport level, there appears to be nothing
to prevent the transport level channel being replaced by another one at some
point.  I am not enough of an expert on EPP

to make a definite recommendation as to how or whether this needs to be
addressed, but I feel that this is something that needs to be brought to the
attention of the IESG and discussed in the next telechat.   If the

issue does need to be addressed, rfc4930bis is the place where it should be
handled.

Catherine Meadows

Naval Research Laboratory

Code 5543

4555 Overlook Ave., S.W.

Washington DC, 20375

phone: 202-767-3490

fax: 202-404-7942

email:

catherine.meadows at nrl.navy.mil