Oops: this review is marked “Serious Issues”, where (as mentioned in the comments) I intended it to be “Ready with nits”. Sorry for the confusion. Brian > On Dec 3, 2020, at 11:57 AM, Brian Weis via Datatracker <noreply@xxxxxxxx> wrote: > > Reviewer: Brian Weis > Review result: Serious Issues > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. > > The summary of the review is Ready with nits. > > This document generally defines a new URN namespace for hardware > device identifiers, and then further defines the URN body layout > for several types of devices, where devices are identified by a > global identity (e.g., a MAC address, organizational-specific serial > number, etc.). > > Long-term identifiers have privacy considerations, and these are > well documented here. > > Here are some things that ought to be thought about: > > (1) The Security Considerations section seems to focus on concerns > around devices not allowing the device identifiers to be modified, > and gives rather broad advice about a DEV URN implementation > faithfully representing the device. It would be good for this section > to also warn implementors of the risks of a DEV URN being transmitted > without integrity protection. That is, if the device faithfully > represents itself, a man in the middle changing the DEV URN in a > protocol may cause the system using the device to not manage the > device properly, or in some manner inappropriately adjust the privileges > allowed by the device within that system. > > (2) Section 1 says about privacy “Note that long-term stable unique > identifiers are problematic for privacy reasons and should be used > with care or avoided as described in [RFC7721].” Given the later > guidance that “The DEV URN type SHOULD only be used for persistent > identifiers”, I think the “or avoided” portion of that sentence is > inappropriate for this document. > > (3) Section 5 begins with “The following three examples provide > examples of MAC-based, 1-Wire, and Cryptographic identifiers”. There > are now more than three examples provided (thanks for that!), and > it appears that cryptographic identifiers have ben removed in an > earlier draft. > > > _______________________________________________ > secdir mailing list > secdir@xxxxxxxx > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
