Last Call Review of draft-ietf-rmt-flute-revised-
review-ietf-rmt-flute-revised-secdir-lc-cridland-2010-02-20-00

Request Review of draft-ietf-rmt-flute-revised
Requested rev. no specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-02-12
Requested 2010-01-29
Authors Toni Paila, Rod Walsh, Mike Luby, Vincent Roca, Rami Lehtonen
Draft last updated 2010-02-20
Completed reviews Genart Last Call review of -?? by Francis Dupont
Genart Last Call review of -?? by Francis Dupont
Secdir Last Call review of -?? by Dave Cridland
Assignment Reviewer Dave Cridland
State Completed
Review review-ietf-rmt-flute-revised-secdir-lc-cridland-2010-02-20
Review completed: 2010-02-20

Review
review-ietf-rmt-flute-revised-secdir-lc-cridland-2010-02-20

I reviewed this document as part of the security directorate's  


ongoing effort to review all IETF documents being processed by the  


IESG.  These comments were written primarily for the benefit of the  


security area directors.  Document editors and WG chairs should treat  


these comments just like any other last call comments.






Looking at the extensive, and well structured, security  


considerations suggests to me that the general scope of attacks is  


well documented. Several options are provided in Section 7.2.2, and  


in particular file vs packet level protection seem not to be wholly  


described. (It seems to be suggested in other sections that both are  


needed).






I also note that the document appears to advise that MIME types can  


be deduced from the filename - such deduction has been known to be  


susceptible to damage, and I would further note that in the case of  


many URIs, there is a provided type already available by (possibly  


partial) resolution of the URI.






In general, it's better to discard and replace file extensions based  


on the known media type to avoid the "foo.jpg.pif" cases.




Dave.