Last Call Review of draft-ietf-sidr-rescerts-provisioning-
review-ietf-sidr-rescerts-provisioning-secdir-lc-sury-2011-08-26-00
| Request | Review of | draft-ietf-sidr-rescerts-provisioning |
|---|---|---|
| Requested revision | No specific revision (document currently at 11) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2011-08-23 | |
| Requested | 2011-06-17 | |
| Authors | Byron Ellacott , Geoff Huston , Robert Loomans , Rob Austein | |
| I-D last updated | 2011-08-26 | |
| Completed reviews |
Secdir Last Call review of -??
by Ondřej Surý
|
|
| Assignment | Reviewer | Ondřej Surý |
| State | Completed | |
| Request | Last Call review on draft-ietf-sidr-rescerts-provisioning by Security Area Directorate Assigned | |
| Completed | 2011-08-26 |
review-ietf-sidr-rescerts-provisioning-secdir-lc-sury-2011-08-26-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
This I-D is a part of RPKI infrastructure built in the SIDR WG. And
this document defines a framework for certificate management interactions
between a resource issuer and a resource recipient.
I am not following the SIDR working group and thus I found it quite
hard to review this draft. (So sorry for the big delay, it took me
a while to find a time get at least quick introduction into RPKI.)
I read the document and the security considerations and I consider them
well thought, but there are some parts which are a bit confusing for
someone not involved in the whole RPKI stuff.
1. I think that you should move the I-D.sidr-arch and I-D.sidr-res-certs
from Informative to Normative References. The document uses much of the
terminology ("resources", "Resource Certificates", etc.) which cannot be
understood without reading at least those two.
2. In the terminology and the scope you use terms "Certificates"
and "Certificate Authority" and it's not clear if you talk about X.509
or RPKI. I think you should add few sentences from I-D.sidr-res-certs
to explain the very basics of Resource Certificates to the reader of this
draft.
Apart from the difficulty to understand the document I found that all my
concerns from reading the draft were addressed in the security considerations.
However I would recommend to review the security of the output of the SIDR
WG as a whole, because it defines quite an important infrastructure which
will have an impact on the IPv4/6 resource handling. Personally I think
that I may have overlooked something by reviewing just this one document
without thorough review of all related drafts.
O.
--
OndÅej SurÃ
vedoucà vÃzkumu/Head of R&D department
-------------------------------------------
CZ.NIC, z.s.p.o. -- LaboratoÅe CZ.NIC
Americka 23, 120 00 Praha 2, Czech Republic
mailto:ondrej.sury
at nic.cz
http://nic.cz/
tel:+420.222745110 fax:+420.222745112
-------------------------------------------