Last Call Review of draft-ietf-abfab-arch-10
review-ietf-abfab-arch-10-secdir-lc-yu-2014-01-23-00
Request | Review of | draft-ietf-abfab-arch |
---|---|---|
Requested revision | No specific revision (document currently at 13) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2014-01-17 | |
Requested | 2014-01-09 | |
Authors | Josh Howlett , Sam Hartman , Hannes Tschofenig , Jim Schaad | |
I-D last updated | 2014-01-23 | |
Completed reviews |
Genart Last Call review of -10
by Vijay K. Gurbani
(diff)
Genart Telechat review of -12 by Vijay K. Gurbani (diff) Secdir Last Call review of -10 by Taylor Yu (diff) Secdir Telechat review of -12 by Taylor Yu (diff) |
|
Assignment | Reviewer | Taylor Yu |
State | Completed | |
Request | Last Call review on draft-ietf-abfab-arch by Security Area Directorate Assigned | |
Reviewed revision | 10 (document currently at 13) | |
Result | Has issues | |
Completed | 2014-01-23 |
review-ietf-abfab-arch-10-secdir-lc-yu-2014-01-23-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: ready with issues The Security Considerations (section 5) appears incomplete. The next-to-last paragraph of the Security Considerations text is: Partial list of issues to be addressed in this section: Privacy, SAML, Trust Anchors, EAP Algorithm Selection, Diameter/RADIUS/AAA Issues, Naming of Entities, Protection of passwords, Channel Binding, End-point-connections (TLS), Proxy problems The bulk of the Security Considerations adequately describes the security properties of the different communication channels. Section 4 is Privacy Considerations, so maybe just make a cross-reference to it in Security Considerations? If the other listed "to be addressed" security considerations are already described elsewhere in the document, possibly summarize them in section 5 and provide cross-references? The final paragraph of section 5 describes privacy considerations related to reverse engineering of pseudonyms, but this text seems to be logically disconnected from the rest of the section. Maybe it belongs in section 4?