Last Call Review of draft-seantek-ldap-pkcs9-05
review-seantek-ldap-pkcs9-05-secdir-lc-nir-2016-08-11-00

Request Review of draft-seantek-ldap-pkcs9
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-08-17
Requested 2016-07-21
Authors Sean Leonard
Draft last updated 2016-08-11
Completed reviews Genart Telechat review of -06 by Matthew Miller (diff)
Secdir Last Call review of -05 by Yoav Nir (diff)
Opsdir Last Call review of -05 by Dan Romascanu (diff)
Assignment Reviewer Yoav Nir
State Completed
Review review-seantek-ldap-pkcs9-05-secdir-lc-nir-2016-08-11
Reviewed rev. 05 (document currently at 08)
Review result Has Nits
Review completed: 2016-08-11

Review
review-seantek-ldap-pkcs9-05-secdir-lc-nir-2016-08-11

Note: I was assigned draft-seantek-ldap-pkcs9-05, but since version -06 was available, I reviewed that.

Summary: Ready with nits

The draft adds definitions from PKCS#9 to the IANA registry for LDAP. As such, the IANA Considerations section is the largest and most important type. The OIDs in the draft have already been defined in RFC 2985 (PKCS#9), which has a good Security Considerations, especially considering that it was written in 2000. Security considerations for this document are mostly those for LDAP and for PKCS#9.

Beyond regular LDAP security considerations, some of the attributes defined in this draft are privacy-sensitive. Section 6 calls out dateOfBirth and placeOfBirth, but the same could be said for gender and countryOfResidence, among others. 

I would have liked slightly stronger language than "may be subject to privacy laws in certain jurisdictions”. More like “are sensitive and the information should never be stored or transmitted unencrypted”

One nit about the structure. I believe sections 2, 3, and 5, each occupying less than two lines could all be combined into a single paragraph in the Introduction.

Yoav