Skip to main content

Last Call Review of draft-ietf-lamps-rfc6712bis-07
review-ietf-lamps-rfc6712bis-07-secdir-lc-kaufman-2024-10-31-00

Request Review of draft-ietf-lamps-rfc6712bis
Requested revision No specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2024-10-23
Requested 2024-10-09
Authors Hendrik Brockhaus , David von Oheimb , Mike Ounsworth , John Gray
I-D last updated 2024-10-31
Completed reviews Tsvart Last Call review of -07 by Lars Eggert (diff)
Genart Last Call review of -07 by Meral Shirazipour (diff)
Secdir Last Call review of -07 by Charlie Kaufman (diff)
Artart Last Call review of -07 by Claudio Allocchio (diff)
Opsdir Last Call review of -07 by Mohamed Boucadair (diff)
Httpdir Last Call review of -07 by Lucas Pardue (diff)
Assignment Reviewer Charlie Kaufman
State Completed
Request Last Call review on draft-ietf-lamps-rfc6712bis by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/M00ZTwfPsGmXUdIkXusbQXCuOno
Reviewed revision 07 (document currently at 09)
Result Ready
Completed 2024-10-28
review-ietf-lamps-rfc6712bis-07-secdir-lc-kaufman-2024-10-31-00
Reviewer: Charlie Kaufman
Review result: Ready

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This document describes existing deployments of CMP over HTTP, and I found
nothing objectionable in it from a security standpoint. I found two issues that
others might find objectionable and the authors might consider, so I'll mention
them here:

1) It says that "Implementations MUST support HTTP/1.0 [RFC1945] and SHOULD
support HTTP/1.1 [RFC9112]." That statement will be out of date someday, and
it's not clear what benefit there is to including it.

2) The protocol does not require use of TLS. In fact, the strongest statement
it makes is "might want to consider using HTTP over TLS according to [RFC9110]
or virtual private networks created, for example, by utilizing Internet
Protocol Security according to [RFC4301]." While there is no cryptographically
secret information communicated over CMP, someone impersonating a server could
impose serious delays and perhaps confusion to clients. Further, the names from
certificates being requested might be sensitive in some scenarios. The authors
might want to consider stronger language on this subject.

      —Charlie