Last Call Review of draft-ietf-secevent-token-09
review-ietf-secevent-token-09-secdir-lc-housley-2018-04-20-00

Request Review of draft-ietf-secevent-token
Requested revision No specific revision (document currently at 13)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-05-03
Requested 2018-04-19
Authors Phil Hunt , Michael B. Jones , William Denniss , Morteza Ansari
I-D last updated 2018-04-20
Completed reviews Secdir Telechat review of -07 by Russ Housley (diff)
Genart Telechat review of -08 by Francis Dupont (diff)
Secdir Last Call review of -09 by Russ Housley (diff)
Assignment Reviewer Russ Housley
State Completed
Request Last Call review on draft-ietf-secevent-token by Security Area Directorate Assigned
Reviewed revision 09 (document currently at 13)
Result Has issues
Completed 2018-04-20
review-ietf-secevent-token-09-secdir-lc-housley-2018-04-20-00
I reviewed this document as part of the Security Directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security Area
Directors.  Document authors, document editors, and WG chairs should
treat these comments just like any other IETF Last Call comments.

Document: draft-ietf-secevent-token-09
Reviewer: Russ Housley
Review Date: 2018-04-20
IETF LC End Date: unknown
IESG Telechat date: 2018-05-10

Summary: Has Issues

Major Concerns

I do not understand the first paragraph of Section 3.  I made this
comment on version -07, and some words were added, but I still do
not understand this paragraph.  I think you are trying to impose some
rules on future specifications that use SET to define events.  Let me
ask a couple of questions that may help.  I understand that a
profiling specification MUST specify the syntax and semantics for a
collection of security event tokens, including the claims and payloads
that are expected.  What MUST a profiling specification include?  What
MUST a profiling specification NOT include?