Telechat Review of draft-ietf-roll-security-threats-01
review-ietf-roll-security-threats-01-secdir-telechat-kent-2013-03-21-00
Request | Review of | draft-ietf-roll-security-threats |
---|---|---|
Requested revision | No specific revision (document currently at 11) | |
Type | Telechat Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2013-03-26 | |
Requested | 2013-03-07 | |
Authors | Tzeta Tsao , Roger Alexander , Mischa Dohler , Vanesa Daza , Angel Lozano , Michael Richardson | |
I-D last updated | 2013-03-21 | |
Completed reviews |
Genart Last Call review of -00
by Peter E. Yee
(diff)
Genart Last Call review of -09 by Peter E. Yee (diff) Genart Telechat review of -10 by Peter E. Yee (diff) Secdir Last Call review of -00 by Stephen Kent (diff) Secdir Telechat review of -01 by Stephen Kent (diff) Rtgdir Last Call review of -09 by Manav Bhatia (diff) |
|
Assignment | Reviewer | Stephen Kent |
State | Completed | |
Request | Telechat review on draft-ietf-roll-security-threats by Security Area Directorate Assigned | |
Reviewed revision | 01 (document currently at 11) | |
Result | Has issues | |
Completed | 2013-03-21 |
review-ietf-roll-security-threats-01-secdir-telechat-kent-2013-03-21-00
SECDIR review of draft-ietf-roll-security-threats-01 I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This is a review of the revised version of the -00 draft that I reviewed on 1/17/13. I am very disappointed to see that essentially all of the comments that I made, many of which were easy to address, were ignored. Only my edits of typos seem to have been incorporated. - 3.3: the term sleep node is still used but not defined. - 3.4: several terms used here (misappropriated, legitimacy, and truthfulness) still represent poor choices of terminology, and should be fixed - 4.1.1: sniffing should still be replaced with passive wiretapping, everywhere - 4.2: the authors did not fix the definition of traffic analysis - 4.2.2: “misappropriation”, again - 4.3.1: overload attack mentioned, w/o definition - 4.3.2: selective forwarding, wormhole and sinkhole attacks are mentioned, w/o definitions, still - 5.1.1: still incorrect assertions re countering deliberate exposure, i.e., no mention of authorization - 5.1.2: device compromise is not usually considered as part of passive wiretapping attacks - 5.1.3: TA still mischaracterized as “may be passive” - 5.1.4: I suggested that anti-tamper should be out of scope for this document - 5.2.2: a trivial, brief discussion that is not helpful - 5.2.3: still an oversimplified symmetric vs. asymmetric cryptographic discussion, and the authors did not update the text to a more recent cite that I provided I have chosen to not continue because it appears that NONE of the specific comments I made have been addressed, based on a quick look at the -00 vs. -01 diff file.