Last Call Review of draft-ietf-lamps-rfc6712bis-07
review-ietf-lamps-rfc6712bis-07-secdir-lc-kaufman-2024-10-31-00
Request | Review of | draft-ietf-lamps-rfc6712bis |
---|---|---|
Requested revision | No specific revision (document currently at 09) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2024-10-23 | |
Requested | 2024-10-09 | |
Authors | Hendrik Brockhaus , David von Oheimb , Mike Ounsworth , John Gray | |
I-D last updated | 2024-10-31 | |
Completed reviews |
Tsvart Last Call review of -07
by Lars Eggert
(diff)
Genart Last Call review of -07 by Meral Shirazipour (diff) Secdir Last Call review of -07 by Charlie Kaufman (diff) Artart Last Call review of -07 by Claudio Allocchio (diff) Opsdir Last Call review of -07 by Mohamed Boucadair (diff) Httpdir Last Call review of -07 by Lucas Pardue (diff) |
|
Assignment | Reviewer | Charlie Kaufman |
State | Completed | |
Request | Last Call review on draft-ietf-lamps-rfc6712bis by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/M00ZTwfPsGmXUdIkXusbQXCuOno | |
Reviewed revision | 07 (document currently at 09) | |
Result | Ready | |
Completed | 2024-10-28 |
review-ietf-lamps-rfc6712bis-07-secdir-lc-kaufman-2024-10-31-00
Reviewer: Charlie Kaufman Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes existing deployments of CMP over HTTP, and I found nothing objectionable in it from a security standpoint. I found two issues that others might find objectionable and the authors might consider, so I'll mention them here: 1) It says that "Implementations MUST support HTTP/1.0 [RFC1945] and SHOULD support HTTP/1.1 [RFC9112]." That statement will be out of date someday, and it's not clear what benefit there is to including it. 2) The protocol does not require use of TLS. In fact, the strongest statement it makes is "might want to consider using HTTP over TLS according to [RFC9110] or virtual private networks created, for example, by utilizing Internet Protocol Security according to [RFC4301]." While there is no cryptographically secret information communicated over CMP, someone impersonating a server could impose serious delays and perhaps confusion to clients. Further, the names from certificates being requested might be sensitive in some scenarios. The authors might want to consider stronger language on this subject. —Charlie