Skip to main content

Last Call Review of draft-ietf-rmt-flute-revised-

Request Review of draft-ietf-rmt-flute-revised
Requested revision No specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-02-12
Requested 2010-01-29
Authors Toni Paila , Rod Walsh , Michael Luby , Vincent Roca , Rami Lehtonen
I-D last updated 2010-02-20
Completed reviews Genart Last Call review of -?? by Francis Dupont
Genart Last Call review of -?? by Francis Dupont
Secdir Last Call review of -?? by Dave Cridland
Assignment Reviewer Dave Cridland
State Completed
Review review-ietf-rmt-flute-revised-secdir-lc-cridland-2010-02-20
Completed 2010-02-20
I reviewed this document as part of the security directorate's  

ongoing effort to review all IETF documents being processed by the  

IESG.  These comments were written primarily for the benefit of the  

security area directors.  Document editors and WG chairs should treat  

these comments just like any other last call comments.

Looking at the extensive, and well structured, security  

considerations suggests to me that the general scope of attacks is  

well documented. Several options are provided in Section 7.2.2, and  

in particular file vs packet level protection seem not to be wholly  

described. (It seems to be suggested in other sections that both are  


I also note that the document appears to advise that MIME types can  

be deduced from the filename - such deduction has been known to be  

susceptible to damage, and I would further note that in the case of  

many URIs, there is a provided type already available by (possibly  

partial) resolution of the URI.

In general, it's better to discard and replace file extensions based  

on the known media type to avoid the "foo.jpg.pif" cases.