Last Call Review of draft-ietf-scim-use-cases-05
review-ietf-scim-use-cases-05-secdir-lc-nystrom-2015-04-09-00

Request Review of draft-ietf-scim-use-cases
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-04-07
Requested 2015-03-26
Other Reviews Genart Last Call review of -05 by Joel Halpern (diff)
Review State Completed
Reviewer Magnus Nystrom
Review review-ietf-scim-use-cases-05-secdir-lc-nystrom-2015-04-09
Posted at https://www.ietf.org/mail-archive/web/secdir/current/msg05581.html
Reviewed rev. 05 (document currently at 08)
Review result Has Nits
Draft last updated 2015-04-09
Review completed: 2015-04-09

Review
review-ietf-scim-use-cases-05-secdir-lc-nystrom-2015-04-09

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 

IESG

.
 These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

This memo

 describes the "System for Cross-domain Identity Management (SCIM)." SCIM is a companion document to the SCIM Schema memo and the SCIM Protocol memo.

Section 3.5: Shouldn't there also be a requirement for the secure transfer of attributes between A and B based on matters such as A trusting authentication results from B, a means to provide those authentication results securely to B, etc.? Essentially similar to what was presented in Section 3.3?

Section 3.6: Similar comment as for Section 3.5. There seems to be general security requirements missing for these two scenarios?

Section 4: I only glanced the Security Consideration sections referenced here, but they do seem adequate, and given that I don't see that this memo's Security Consideration section need to contain more information. Editorial suggestion: "only authenticated entity" -> "only authenticated entities".

-- Magnus