Skip to main content

Last Call Review of draft-igoe-secsh-x509v3-

Request Review of draft-igoe-secsh-x509v3
Requested revision No specific revision (document currently at 07)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-11-30
Requested 2010-10-14
Authors Kevin Igoe , Douglas Stebila
I-D last updated 2010-11-22
Completed reviews Secdir Last Call review of -?? by David McGrew
Assignment Reviewer David McGrew
State Completed
Request Last Call review on draft-igoe-secsh-x509v3 by Security Area Directorate Assigned
Completed 2010-11-22
I have reviewed this document as part of the security directorate's  

ongoing effort to review all IETF documents being processed by the   

IESG.  These comments were written primarily for the benefit of the  

security area directors. Document editors and WG chairs should treat  

these comments just like any other review comments.

The document describes how to use X509 and OCSP within SSH.  It is  

clearly written, and the security considerations section is  

appropriate (it mostly points to the relevant sections in the SSH,  

X509, and OCSP RFCs).

I have one nit, which is wording that authors might want to change for  

clarity.  Section 4 says "The mapping between certificates and host  

names is left as an implementation and configuration issue for  

implementers and system administrators."   I believe that what is  

meant is that "The method that the server uses to verify that the host  

certificate and key actually belongs to the client host named in the  

message is out of scope of this note", to use language from RFC 4252.