Last Call Review of draft-ietf-lmap-information-model-17
review-ietf-lmap-information-model-17-secdir-lc-johansson-2017-03-15-00
Request | Review of | draft-ietf-lmap-information-model |
---|---|---|
Requested revision | No specific revision (document currently at 18) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2017-03-08 | |
Requested | 2017-02-22 | |
Authors | Trevor Burbridge , Philip Eardley , Marcelo Bagnulo , Jürgen Schönwälder | |
I-D last updated | 2017-03-15 | |
Completed reviews |
Secdir Last Call review of -17
by Leif Johansson
(diff)
Genart Last Call review of -17 by Russ Housley (diff) |
|
Assignment | Reviewer | Leif Johansson |
State | Completed | |
Request | Last Call review on draft-ietf-lmap-information-model by Security Area Directorate Assigned | |
Reviewed revision | 17 (document currently at 18) | |
Result | Has issues | |
Completed | 2017-03-15 |
review-ietf-lmap-information-model-17-secdir-lc-johansson-2017-03-15-00
Reviewer: Leif Johansson Review result: Has issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Review: Section 3.8 begins "A Channel defines a bi-directional communication channel". First of all it is probably a good idea avoid using the term you're defining in the definition. Also in the text a Channel is described as a URL with the cert or CA of the endpoint but in the channel object definition there is only a reference to the credentials which I understood to be the client authn credential and not the server identity. This leads me to a larger issue (which may be answered in another LMAP document for all I know): what is the authentication model for LMAP? Specifically, does LMAP assume the standard Web PKI for channel end- points? If not, then you probably need to specify how to validate the server cert which may lead you to want to represent a private CA (say) in the channel object. In any case the authentication model should be referenced from the Security Considerations section and clearly match the information model for channels. Cheers Leif