Last Call Review of draft-seantek-ldap-pkcs9-05
review-seantek-ldap-pkcs9-05-secdir-lc-nir-2016-08-11-00

Request Review of draft-seantek-ldap-pkcs9
Requested revision No specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-08-17
Requested 2016-07-21
Authors Sean Leonard
I-D last updated 2016-08-11
Completed reviews Genart Telechat review of -06 by Matthew A. Miller (diff)
Secdir Last Call review of -05 by Yoav Nir (diff)
Opsdir Last Call review of -05 by Dan Romascanu (diff)
Assignment Reviewer Yoav Nir
State Completed
Request Last Call review on draft-seantek-ldap-pkcs9 by Security Area Directorate Assigned
Reviewed revision 05 (document currently at 08)
Result Has nits
Completed 2016-08-11
review-seantek-ldap-pkcs9-05-secdir-lc-nir-2016-08-11-00
Note: I was assigned draft-seantek-ldap-pkcs9-05, but since version -06 was
available, I reviewed that.

Summary: Ready with nits

The draft adds definitions from PKCS#9 to the IANA registry for LDAP. As such,
the IANA Considerations section is the largest and most important type. The
OIDs in the draft have already been defined in RFC 2985 (PKCS#9), which has a
good Security Considerations, especially considering that it was written in
2000. Security considerations for this document are mostly those for LDAP and
for PKCS#9.

Beyond regular LDAP security considerations, some of the attributes defined in
this draft are privacy-sensitive. Section 6 calls out dateOfBirth and
placeOfBirth, but the same could be said for gender and countryOfResidence,
among others.

I would have liked slightly stronger language than "may be subject to privacy
laws in certain jurisdictions”. More like “are sensitive and the information
should never be stored or transmitted unencrypted”

One nit about the structure. I believe sections 2, 3, and 5, each occupying
less than two lines could all be combined into a single paragraph in the
Introduction.

Yoav