Skip to main content

Early Review of draft-ietf-drinks-spp-framework-
review-ietf-drinks-spp-framework-secdir-early-hoffman-2012-08-21-00

Request Review of draft-ietf-drinks-spp-framework
Requested revision No specific revision (document currently at 12)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2015-02-17
Requested 2012-08-10
Authors Kenneth Cartwright , Vikas Bhatia , Syed Ali , David Schwartz
I-D last updated 2012-08-21
Completed reviews Genart Last Call review of -09 by Peter E. Yee (diff)
Genart Telechat review of -09 by Peter E. Yee (diff)
Secdir Early review of -?? by Paul E. Hoffman
Assignment Reviewer Paul E. Hoffman
State Completed
Request Early review on draft-ietf-drinks-spp-framework by Security Area Directorate Assigned
Result Ready w/nits
Completed 2012-08-21
review-ietf-drinks-spp-framework-secdir-early-hoffman-2012-08-21-00
Greetings. I have been requested to review draft-ietf-drinks-spp-framework for
the Security Directorate. This review is being done during WG Last Call instead
of IETF Last Call as a special request. I note that literally no one has spoken
up in the WG during WG Last Call since it began three weeks ago.

SPPF is a protocol for provisioning session establishment data into data
registries and SIP service providers. Well, actually it's not. It is a
description of the data format and some handwaving about how to transport that
data. The mandatory-to-implement transport is listed in a different document,
draft-ietf-drinks-spp-protocol-over-soap (for which there is no reference in
this document...).

The transport protocol requirements listed in section 4 of this document are
fairly generic, as are the security requirements. The descriptions of the
transport requirements are fine. The security requirements are not so great:
while servers MUST be able to authenticate clients, confidentiality and
integrity protection SHOULD be provided. Given that the mandatory-to implement
transport is SOAP, this approximately translates to "must do some sort or
minimal client authentication, should consider using TLS but lots of clients
and servers probably won't actually do it". I think that undershoots moderns
security practices, which would have TLS be mandatory.

Even though this is a security review, I cannot resist a non-security question:
SOAP? In 2012? Really? <sigh>

--Paul Hoffman