Last Call Review of draft-ietf-sidr-rescerts-provisioning-
review-ietf-sidr-rescerts-provisioning-secdir-lc-sury-2011-08-26-00

Request Review of draft-ietf-sidr-rescerts-provisioning
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-08-23
Requested 2011-06-17
Authors Byron Ellacott, Geoff Huston, Robert Loomans, Rob Austein
Draft last updated 2011-08-26
Completed reviews Secdir Last Call review of -?? by Ondřej Surý
Assignment Reviewer Ondřej Surý
State Completed
Review review-ietf-sidr-rescerts-provisioning-secdir-lc-sury-2011-08-26
Review completed: 2011-08-26

Review
review-ietf-sidr-rescerts-provisioning-secdir-lc-sury-2011-08-26

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This I-D is a part of RPKI infrastructure built in the SIDR WG.  And
this document defines a framework for certificate management interactions
between a resource issuer and a resource recipient.

I am not following the SIDR working group and thus I found it quite
hard to review this draft.  (So sorry for the big delay, it took me
a while to find a time get at least quick introduction into RPKI.)

I read the document and the security considerations and I consider them
well thought, but there are some parts which are a bit confusing for
someone not involved in the whole RPKI stuff.

1. I think that you should move the I-D.sidr-arch and I-D.sidr-res-certs
from Informative to Normative References.  The document uses much of the
terminology ("resources", "Resource Certificates", etc.) which cannot be
understood without reading at least those two.

2. In the terminology and the scope you use terms "Certificates"
and "Certificate Authority" and it's not clear if you talk about X.509
or RPKI.  I think you should add few sentences from I-D.sidr-res-certs
to explain the very basics of Resource Certificates to the reader of this
draft.

Apart from the difficulty to understand the document I found that all my
concerns from reading the draft were addressed in the security considerations.
However I would recommend to review the security of the output of the SIDR
WG as a whole, because it defines quite an important infrastructure which
will have an impact on the IPv4/6 resource handling.  Personally I think
that I may have overlooked something by reviewing just this one document
without thorough review of all related drafts.

O.
--
 OndÅej SurÃ
 vedoucà vÃzkumu/Head of R&D department
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    LaboratoÅe CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 

mailto:ondrej.sury

 at nic.cz    

http://nic.cz/


 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------