Telechat Review of draft-ietf-dime-erp-16

Request Review of draft-ietf-dime-erp
Requested rev. no specific revision (document currently at 17)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2013-01-22
Requested 2013-01-10
Authors Julien Bournelle, Lionel Morand, Sebastien Decugis, Qin Wu, Glen Zorn
Draft last updated 2013-01-25
Completed reviews Genart Last Call review of -12 by Elwyn Davies (diff)
Genart Telechat review of -16 by Elwyn Davies (diff)
Secdir Last Call review of -14 by Vincent Roca (diff)
Secdir Telechat review of -16 by Vincent Roca (diff)
Assignment Reviewer Vincent Roca
State Completed
Review review-ietf-dime-erp-16-secdir-telechat-roca-2013-01-25
Reviewed rev. 16 (document currently at 17)
Review result Has Issues
Review completed: 2013-01-25



I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.


Since the security section has not really been updated since version 14, the comments I made at
that time are still valid. Basically:

The security section of this document only refers to the security section of 4 related documents.
This is all the more annoying as draft-ietf-dime-erp introduces new mechanisms (and potentially
new threats and issues). What should I understand? Is the proposal guaranteed to be secure, have
all the potential weaknesses been already addressed in the 4 related documents? I can not
conclude after reading the security section.

One more point. In introduction, the authors say:
"  Security considerations for this key distribution are detailed in Salowey, et al. [RFC5295]."
This reference is not mentioned in the Security Section!