Last Call Review of draft-hoffman-tao-as-web-page-
|Requested rev.||no specific revision (document currently at 04)|
|Type||Last Call Review|
|Team||Security Area Directorate (secdir)|
|Draft last updated||2012-07-13|
Genart Last Call review of -?? by Roni Even
Secdir Last Call review of -?? by Taylor Yu
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The Security Considerations section says The Tao is available over TLS at < https://www.ietf.org/tao.html >. This statement seems to imply that protecting the integrity of the Tao while transmitting it to a reader is important. The public nature of the Tao implies that the confidentiality of this channel is also not a significant concern. It seems odd to make a statement about the integrity of the channel between the reader and the www.ietf.org web server, while saying nothing about the channel that the Tao editor uses. It is likely that an attack on the integrity of the editing channel will have a far greater impact than an attack on the integrity of the reading channel. On the other hand, malicious manipulation of the Tao will probably at worst mislead newcomers about the workings of the IETF, because the formal process specifications for the IETF are BCP RFCs. Additionally, if the editor of the Tao can only edit a proposed text, rather than the officially published version, the IESG can presumably discover any malicious alterations of the proposed text prior to approving it. It seems reasonable to assume that any process that the IETF Secretariat uses to publish the proposed text after its IESG approval is no less secure than the processes for publishing other official information on the IETF web site.