ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Gen-ART LC Review of draft-ietf-nsis-nslp-auth-06

2010-09-01 11:26:36
from [Ben Campbell] [Permanent Link] 
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, 
please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please resolve these comments along with any other Last Call comments you may 
receive.

Document: draft-ietf-nsis-nslp-auth-06.txt
Reviewer: Ben Campbell
Review Date: 2010-08-31
IETF LC End Date: 2010-08-31
IESG Telechat date: (if known)

Summary:

This draft is almost ready for publication as an experimental RFC. There are 
some minor issues that should be considered first, and a few editorial comments.

-Major issues: None

-Minor issues:

-- section 3.2.7, 2nd paragraph: "The creator of this attribute lists every 
NSLP object..."

Is there an order requirement? At least, the order in this list must match the 
order in the signature, right?

-- section 4.1.1, 2nd paragraph:

Is HMAC-MD5 still a reasonable choice for a single mandatory-to-implement 
algorithm these days?

-- Section 6.4, 1st paragraph:

This paragraph seems to conflate authentication with authorization. Integrity 
protection provides authentication, from which one can apply authorization 
policy. But it's not authorization policy in itself.

-- Section 7, 3rd paragraph:

This seems to conflict with 3.2.7 and 3.2.8, which only conditionally require 
AUTHENTICATION_DATA to be included. 


-Nits/editorial comments:

-- section 2, paragraph 2, 2nd sentence:

s/chose/choose

-- section 2, 5th paragraph, 1st sentence: "...operation of the authorization 
is to add one authorization policy object"

Does this mean "... operation of the authorization layer..."?

-- section 4.2, 2nd paragraph: "The ticket can be presented to the NSLP node 
via Kerberos by sending a KRB_CRED message to the NSLP node..."

Who presents it?

"...must be known in advance..."

Who must know it?

-- section 4.3.1.1, 1st paragraph: "...X509_V3_CERT, AUTHENTICATION_DATA MUST 
be generated following these steps"

Who must generate it?

-- section 4.3.1.1, 2nd paragraph: "...verification MUST be done following 
these steps:"

Who must do the verification?

-- section 4.3.1.1, 7th paragraph: " ... the public key of the authorizing 
entity can be extracted from the certificate."

I assume this step is not intended to be optional, but the language "can be" 
implies that it is.

-- section 4.3.1.2, 1st paragraph: "...AUTHENTICATION_DATA MUST be generated 
following these steps:"

Who must generate it?

-- section 4.3.1.2, first bullet in list of steps:

That's not really a step.

--... Third bullet

Who signs it?

-- ... First paragraph after first bullet list: "verification MUST be done"

Who must do the verification?

-- section 4.4, 1st paragraph after bullet list: The Key-ID in the 
AUTHENTICATION_DATA allows to refer"

"allows" is a transitive verb in this context. I suggest "... allows [some 
actor] to refer", or "...allows the reference..."

-- section 6.2.3, general:

It's not clear to me if you mean for QNE/PDP to refer to one or the other, or 
the combination of the QNE and PDP.


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Is this true?, Phillip Hallam-Baker
Next by Date:  Re: DNSSEC, Phillip Hallam-Baker
Previous by Thread:  Re: Is this true?, Phillip Hallam-Baker
Next by Thread:  Re: Gen-ART LC Review of draft-ietf-nsis-nslp-auth-06, Roland Bless
Indexes:  [Date] [Thread] [Top] [All Lists]