Last Call Review of draft-ietf-stir-servprovider-oob-05
review-ietf-stir-servprovider-oob-05-secdir-lc-smith-2024-04-29-00
| Request | Review of | draft-ietf-stir-servprovider-oob |
|---|---|---|
| Requested revision | No specific revision (document currently at 06) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2024-03-31 | |
| Requested | 2024-03-17 | |
| Authors | Jon Peterson | |
| I-D last updated | 2024-04-29 | |
| Completed reviews |
Secdir Last Call review of -05
by Ned Smith
(diff)
Artart Last Call review of -05 by Thomas Fossati (diff) Genart Last Call review of -05 by Joel M. Halpern (diff) Opsdir Last Call review of -05 by Gyan Mishra (diff) Secdir Last Call review of -06 by Barry Leiba |
|
| Assignment | Reviewer | Ned Smith |
| State | Completed | |
| Request | Last Call review on draft-ietf-stir-servprovider-oob by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/MVPh-NEyMi7k8hPKMvX_ugWB5BE | |
| Reviewed revision | 05 (document currently at 06) | |
| Result | Has nits | |
| Completed | 2024-04-29 |
review-ietf-stir-servprovider-oob-05-secdir-lc-smith-2024-04-29-00
- grammar: "A CPS can use this mechanism
s/can authorize/authorizes/ service providers who already hold STIR
credentials to submit PASSporTs to a CPS,"
- grammar: "(or an entity
s/contractual/contractually/ acting on their behalf)"
- "If anyone with a STIR
certificate is able to publish or access PASSporTs for any telephone
number, this would create an intolerable security and privacy
vulnerability."
Comment: The authors should elaborate on the security vulnerability as
the STIR certificate is presumed to have the same security threats as
any traditional certificate. If PASSportTs contain security sensitive
values that are not protected, the conditions where these secret values
could be revealed should be better highlighted. For example, does the
author imply RFC8225 has security vulnerabilities?
- Comment: There are several uses of "the STIR out-of-band framework [RFC8816]"
while others merely reference "[RFC8816]". Is it sufficient to simply use
"STIR" when referring to the framework? The first use of "the STIR out-of-band
framework [RFC8816]" seems sufficient to give the reader the reference to
RFC8816.