Early Review of draft-ietf-drinks-spp-framework-
review-ietf-drinks-spp-framework-secdir-early-hoffman-2012-08-21-00

• Status
• Email expansions
• History

• Versions
• 00

Review
review-ietf-drinks-spp-framework-secdir-early-hoffman-2012-08-21

Greetings. I have been requested to review draft-ietf-drinks-spp-framework for the Security Directorate. This review is being done during WG Last Call instead of IETF Last Call as a special request. I note that literally no one has spoken up in the WG during WG Last Call since it began three weeks ago.

SPPF is a protocol for provisioning session establishment data into data registries and SIP service providers. Well, actually it's not. It is a description of the data format and some handwaving about how to transport that data. The mandatory-to-implement transport is listed in a different document, draft-ietf-drinks-spp-protocol-over-soap (for which there is no reference in this document...).

The transport protocol requirements listed in section 4 of this document are fairly generic, as are the security requirements. The descriptions of the transport requirements are fine. The security requirements are not so great: while servers MUST be able to authenticate clients, confidentiality and integrity protection SHOULD be provided. Given that the mandatory-to implement transport is SOAP, this approximately translates to "must do some sort or minimal client authentication, should consider using TLS but lots of clients and servers probably won't actually do it". I think that undershoots moderns security practices, which would have TLS be mandatory.

Even though this is a security review, I cannot resist a non-security question: SOAP? In 2012? Really? <sigh>

--Paul Hoffman