Last Call Review of draft-ietf-acme-dtnnodeid-07
review-ietf-acme-dtnnodeid-07-secdir-lc-smyslov-2021-11-29-00
Request | Review of | draft-ietf-acme-dtnnodeid |
---|---|---|
Requested revision | No specific revision (document currently at 16) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2021-11-29 | |
Requested | 2021-11-15 | |
Authors | Brian Sipos | |
I-D last updated | 2021-11-29 | |
Completed reviews |
Opsdir Last Call review of -07
by Linda Dunbar
(diff)
Secdir Last Call review of -07 by Valery Smyslov (diff) Genart Last Call review of -07 by Joel M. Halpern (diff) Opsdir Telechat review of -10 by Linda Dunbar (diff) |
|
Assignment | Reviewer | Valery Smyslov |
State | Completed | |
Request | Last Call review on draft-ietf-acme-dtnnodeid by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/_3mih2mI1Td1L0eN_Q2a_Dtplnc | |
Reviewed revision | 07 (document currently at 16) | |
Result | Has issues | |
Completed | 2021-11-29 |
review-ietf-acme-dtnnodeid-07-secdir-lc-smyslov-2021-11-29-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The draft specifies an extension to the Automated Certificate Management Environment (ACME) protocol that allows to automatically issue and manage certificates for nodes in the Delay-Tolerant Networking (DTN) networks. Issues. I was hesitating whether it is a real issue or just the lack of my understanding of the protocol, but finally decided to mark it as an issue. Section 5.1 states that CSR MAY contain a mixed set of SAN claims, including combinations of "ip", "dns", and "bundleEID" claims. However, this document only defines how ACME server can validate "bundleEID" claim. I think that the document should at least mention how "dns" and "ip" claims should be validated (pointing to the appropriate specs). Nits. The document uses both MUST and SHALL keywords. Not a problem, but I think readability of the document would increase if only one of these forms were used. Section 7.6. I think that it should be mentioned more explicitly that these channels must provide mutual authentication of ACME client/server and corresponding BP agents, and that the channels must protect integrity and authenticity of the messages, and in some situations (when client account key thumbprint is transmitted) also their confidentiality. These are standard security services and I think it's better to use these terms.