Skip to main content

Telechat Review of draft-ietf-drip-auth-46
review-ietf-drip-auth-46-intdir-telechat-bernardos-2024-01-29-00

Request Review of draft-ietf-drip-auth
Requested revision No specific revision (document currently at 49)
Type Telechat Review
Team Internet Area Directorate (intdir)
Deadline 2024-01-26
Requested 2024-01-18
Requested by Éric Vyncke
Authors Adam Wiethuechter , Stuart W. Card , Robert Moskowitz
I-D last updated 2024-01-29
Completed reviews Tsvart Last Call review of -43 by Gorry Fairhurst (diff)
Dnsdir Last Call review of -43 by Di Ma (diff)
Dnsdir Telechat review of -46 by Di Ma (diff)
Iotdir Telechat review of -45 by Behcet Sarikaya (diff)
Intdir Telechat review of -46 by Carlos J. Bernardos (diff)
Secdir Early review of -05 by Rich Salz (diff)
Genart Early review of -24 by Matt Joras (diff)
Assignment Reviewer Carlos J. Bernardos
State Completed
Request Telechat review on draft-ietf-drip-auth by Internet Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/int-dir/pWjgQt9gHU9yRhNcoPE3VXxYCX8
Reviewed revision 46 (document currently at 49)
Result Ready w/nits
Completed 2024-01-29
review-ietf-drip-auth-46-intdir-telechat-bernardos-2024-01-29-00
I am an assigned INT directorate reviewer for <draft-ietf-drip-auth>. These
comments were written primarily for the benefit of the Internet Area Directors.
Document editors and shepherd(s) should treat these comments just like they
would treat comments from any other IETF contributors and resolve them along
with any other Last Call comments that have been received. For more details on
the INT Directorate, see https://datatracker.ietf.org/group/intdir/about/.

Please note that this particular document is really outside of my area of
expertise [1].

Based on my review, if I was on the IESG I would ballot this document as NO
OBJECTION.

The only issue/comment I have is on the use of the DNS indicated in the
document:

   An Observer SHOULD query DNS for the UA's HI.  If not available it
   may have been revoked.  Note that accurate revocation status is a
   DIME inquiry; DNS non-response is a hint that a DET is expired or
   revoked.  It MAY be retrieved from a local cache, if present.  The
   local cache is typically populated by DNS lookups and/or by received
   Broadcast Endorsements (Section 3.1.2).

I think additional details would be helpful on the assumptions of the DNS
security mechanisms that are assumed are in place for this to work (or to make
this not subject of attacks).

The following are minor issues (typos, misspelling, minor text improvements)
with the document:

- Expand DRIP in the introduction (it is done in the abstract, but I think it
improves readability if done also the first time the term is used in the main
body of the document).

Thanks,

Carlos

[1] I should have probably realized this when assigning this document to myself
for review, thus I owe another apology.