Skip to main content

Last Call Review of draft-snell-atompub-tombstones-

Request Review of draft-snell-atompub-tombstones
Requested revision No specific revision (document currently at 18)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2012-02-28
Requested 2012-01-27
Authors James M. Snell
I-D last updated 2012-02-23
Completed reviews Genart Last Call review of -?? by Vijay K. Gurbani
Genart Last Call review of -?? by Vijay K. Gurbani
Secdir Last Call review of -?? by Joseph A. Salowey
Assignment Reviewer Joseph A. Salowey
State Completed
Review review-snell-atompub-tombstones-secdir-lc-salowey-2012-02-23
Completed 2012-02-23
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document defines a XML data format used to remove entries from an atom
feed. The document does make use of the XML digital signature and encryption
specifications from the W3C to provide integrity, authenticity and
confidentiality.  Key management for the encryption is not discussed, however
this seems to be consistent with other AtomPub documents.    How a message is
authorized is not described in much detail.  In the security considerations
there is mention that it is expected that the delete message will be signed
using the same key as the particular feed but how to handle this seems to be
largely out of scope of the document.   Both of these are not necessarily
problems in themselves, but could lead to interop and manageability problems.  
Since the deleted entry document may contain an IRI perhaps it would be good to
reference the security considerations in RFC 3987.