Last Call Review of draft-ietf-kitten-gssapi-naming-exts-
review-ietf-kitten-gssapi-naming-exts-secdir-lc-harkins-2010-07-30-00

Request Review of draft-ietf-kitten-gssapi-naming-exts
Requested rev. no specific revision (document currently at 15)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-07-23
Requested 2010-07-11
Other Reviews
Review State Completed
Reviewer Dan Harkins
Review review-ietf-kitten-gssapi-naming-exts-secdir-lc-harkins-2010-07-30
Posted at http://www.ietf.org/mail-archive/web/secdir/current/msg01884.html
Draft last updated 2010-07-30
Review completed: 2010-07-30

Review
review-ietf-kitten-gssapi-naming-exts-secdir-lc-harkins-2010-07-30

  Hello,

  I have reviewed draft-ietf-kitten-gssapi-naming-exts as part of the
security directorate's ongoing effort to review all IETF documents being
processed by the IESG. These comments were written primarily for the
benefit of the security area directors. Document editors and WG chairs
should treat these comments just like any other last call comments.

  This draft extends the GSS-API naming model to include support for
"name attributes". This support can be used by an application to make
authorization decisions. I found no problems in the draft that the
ADs should take special note of.

  The draft is well-written and introduces and uses terminology well,
with one nit. It introduces terms with certain marking and then uses
them either without the marking (which is fine) or with some other
marking. For instance, "An attribute is 'authenticated' iff...." and
then the concept of an authenticated attribute is used without the
single quote. But sometimes attributes "MUST be represented as
*authenticated* GSS-API name attributes named using the _same_ OID
mapped to a URN." OK, so what's the significance of the asterisks now?
And the underscore? I found no value in these marks and suggest removing
them. If the authors intend for the marks to convey some meaning then
perhaps a Notations section is in order.

  One last nit: Section 6.2.1 refers to "(see comment above)" which should
be "(see Section 5)".

  regards,

  Dan.