Last Call Review of draft-snell-atompub-tombstones-
review-snell-atompub-tombstones-secdir-lc-salowey-2012-02-23-00

Request Review of draft-snell-atompub-tombstones
Requested rev. no specific revision (document currently at 18)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2012-02-28
Requested 2012-01-27
Authors James Snell
Draft last updated 2012-02-23
Completed reviews Genart Last Call review of -?? by Vijay Gurbani
Genart Last Call review of -?? by Vijay Gurbani
Secdir Last Call review of -?? by Joseph Salowey
Assignment Reviewer Joseph Salowey 
State Completed
Review review-snell-atompub-tombstones-secdir-lc-salowey-2012-02-23
Review completed: 2012-02-23

Review
review-snell-atompub-tombstones-secdir-lc-salowey-2012-02-23

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document defines a XML data format used to remove entries from an atom feed. The document does make use of the XML digital signature and encryption specifications from the W3C to provide integrity, authenticity and confidentiality.  Key management for the encryption is not discussed, however this seems to be consistent with other AtomPub documents.    How a message is authorized is not described in much detail.  In the security considerations there is mention that it is expected that the delete message will be signed using the same key as the particular feed but how to handle this seems to be largely out of scope of the document.   Both of these are not necessarily problems in themselves, but could lead to interop and manageability problems.   Since the deleted entry document may contain an IRI perhaps it would be good to reference the security considerations in RFC 3987. 

Cheers,

Joe