Early Review of draft-ietf-drinks-spp-framework-
review-ietf-drinks-spp-framework-secdir-early-hoffman-2012-08-21-00

Request Review of draft-ietf-drinks-spp-framework
Requested rev. no specific revision (document currently at 12)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2015-02-17
Requested 2012-08-10
Authors Kenneth Cartwright, Vikas Bhatia, Syed Ali, David Schwartz
Draft last updated 2012-08-21
Completed reviews Genart Last Call review of -09 by Peter Yee (diff)
Genart Telechat review of -09 by Peter Yee (diff)
Secdir Early review of -?? by Paul Hoffman
Assignment Reviewer Paul Hoffman
State Completed
Review review-ietf-drinks-spp-framework-secdir-early-hoffman-2012-08-21
Review result Ready with Nits
Review completed: 2012-08-21

Review
review-ietf-drinks-spp-framework-secdir-early-hoffman-2012-08-21

Greetings. I have been requested to review draft-ietf-drinks-spp-framework for the Security Directorate. This review is being done during WG Last Call instead of IETF Last Call as a special request. I note that literally no one has spoken up in the WG during WG Last Call since it began three weeks ago.

SPPF is a protocol for provisioning session establishment data into data registries and SIP service providers. Well, actually it's not. It is a description of the data format and some handwaving about how to transport that data. The mandatory-to-implement transport is listed in a different document, draft-ietf-drinks-spp-protocol-over-soap (for which there is no reference in this document...).

The transport protocol requirements listed in section 4 of this document are fairly generic, as are the security requirements. The descriptions of the transport requirements are fine. The security requirements are not so great: while servers MUST be able to authenticate clients, confidentiality and integrity protection SHOULD be provided. Given that the mandatory-to implement transport is SOAP, this approximately translates to "must do some sort or minimal client authentication, should consider using TLS but lots of clients and servers probably won't actually do it". I think that undershoots moderns security practices, which would have TLS be mandatory.

Even though this is a security review, I cannot resist a non-security question: SOAP? In 2012? Really? <sigh>

--Paul Hoffman