Last Call Review of draft-ietf-repute-query-http-09
review-ietf-repute-query-http-09-secdir-lc-emery-2013-08-22-00

Request Review of draft-ietf-repute-query-http
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-08-29
Requested 2013-08-16
Authors Nathaniel Borenstein, Murray Kucherawy
Draft last updated 2013-08-22
Completed reviews Genart Last Call review of -09 by Meral Shirazipour (diff)
Genart Last Call review of -10 by Meral Shirazipour (diff)
Secdir Last Call review of -09 by Shawn Emery (diff)
Assignment Reviewer Shawn Emery
State Completed
Review review-ietf-repute-query-http-09-secdir-lc-emery-2013-08-22
Reviewed rev. 09 (document currently at 11)
Review result Has Nits
Review completed: 2013-08-22

Review
review-ietf-repute-query-http-09-secdir-lc-emery-2013-08-22

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This internet-draft describes a protocol for querying reputation data
via HTTP.  The first part of the protocol retrieves a template that will subsequently
be used as the basis for a URI, which in turn is used to retrieve the reputation
information.

The security considerations section does exist and acknowledges that the base
protocol for retrieving URIs is insecure as well as the retrieval of reputation
data.  The section refers to the URI template and well-known URI RFCs for further
discussions of template exchange security issues and makes an informative reference
to the repute considerations draft for the reputation retrieval.  However, none of the
referenced RFCs and draft directly talk about the various attacks and how to mitigate
against said attacks.  I would suggest a direct reference if such a document exists.

General comments:

None.

Editorial comments:

s/comprise the/comprise of the/

s/explicitly support support/explicitly support/

s/until finds one/until the client finds one/

Shawn.
--