Last Call Review of draft-wallace-est-alt-challenge-04
review-wallace-est-alt-challenge-04-secdir-lc-melnikov-2016-03-23-00
Request | Review of | draft-wallace-est-alt-challenge |
---|---|---|
Requested revision | No specific revision (document currently at 08) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2016-03-15 | |
Requested | 2016-02-11 | |
Authors | Max Pritikin , Carl Wallace | |
I-D last updated | 2016-03-23 | |
Completed reviews |
Genart Last Call review of -04
by Elwyn B. Davies
(diff)
Genart Telechat review of -05 by Elwyn B. Davies (diff) Secdir Last Call review of -04 by Alexey Melnikov (diff) Opsdir Last Call review of -04 by Rick Casarez (diff) |
|
Assignment | Reviewer | Alexey Melnikov |
State | Completed | |
Request | Last Call review on draft-wallace-est-alt-challenge by Security Area Directorate Assigned | |
Reviewed revision | 04 (document currently at 08) | |
Result | Ready | |
Completed | 2016-03-23 |
review-wallace-est-alt-challenge-04-secdir-lc-melnikov-2016-03-23-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines the otpChallenge attribute for use when a one- time password (OTP) value within the CSR is a requirement. The revocationChallenge attribute is defined to allow disambiguated usage of the original challenge password attribute semantics for certificate revocation. The estIdentityLinking attribute is defined to reference existing EST challenge password semantics with no potential for confusion with legacy challenge password practices. These attributes provide disambiguation of the existing overloaded uses for the challengePassword attribute defined in PKCS (Public-Key Cryptography Standards) #9 [RFC2985]. The Security Consideration seems adequate. I found one issue in the ASN.1 module in Appendix A, but it was fixed in the most recent version. So the document is ready for publication.