Last Call Review of draft-ietf-sipcore-subnot-etags-
review-ietf-sipcore-subnot-etags-secdir-lc-hartman-2009-06-25-00

Request Review of draft-ietf-sipcore-subnot-etags
Requested rev. no specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2009-06-30
Requested 2009-06-13
Other Reviews
Review State Completed
Reviewer Sam Hartman
Review review-ietf-sipcore-subnot-etags-secdir-lc-hartman-2009-06-25
Posted at http://www.ietf.org/mail-archive/web/secdir/current/msg00746.html
Draft last updated 2009-06-25
Review completed: 2009-06-25

Review
review-ietf-sipcore-subnot-etags-secdir-lc-hartman-2009-06-25

I've reviewed this draft for the security directorate.  My review was
reasonably light although I believe was sufficient. 

This draft defines a mechanism so that subscribers can avoid a
notification message being generated when they already know the
contents of that notification.

The security considerations section claims that this mechanism does
not change the security properties of the protocol: it is just an
optimization.  I'm fine with the document as it stands.  It's not
inherently true that an optimization of this type doesn't change the
security properties.  For example, if an attacker could modify a
subscribe request and suppress a notification, that might change the
security properties.

However, as far as I can tell, this particular mechanism does not make
any significant changes to the security properties.