Hi Rich, Thank you for the review. Please see inline. Cheers, Med (as doc Shepherd) > -----Message d'origine----- > De : last-call <last-call-bounces@xxxxxxxx> De la part de Rich Salz > via Datatracker > Envoyé : jeudi 28 septembre 2023 20:03 > À : secdir@xxxxxxxx > Cc : alto@xxxxxxxx; draft-ietf-alto-oam-yang.all@xxxxxxxx; last- > call@xxxxxxxx > Objet : [Last-Call] Secdir last call review of draft-ietf-alto-oam- > yang-12 > > Reviewer: Rich Salz > Review result: Ready > > I know a little bit about YANG (having helped with the cryptographic > keys definitions for SSH, TLS) and almost nothing about ALTO (but I > stayed at a XXXX I mean I read the RFC 7285). > > I read the security considerations carefully. It did a nice job > pointing out that some of the data could be sensitive so be careful > about exposing it to everyone. The opening sentence "Both of these > protocols have mandatory-to-implement secure transport layers (e.g., > SSH, TLS) with mutual authentication." [Med] FWIW, that is part of the template mandated by RFC8407: This section MUST be patterned after the latest approved template (available at <https://trac.ietf.org/trac/ops/wiki/yang-security- guidelines>). Section 3.7.1 contains the security considerations template dated 2013-05-08 and last updated on 2018-07-02. Authors MUST check the web page at the URL listed above in case there is a more recent version available. Should probably be followed > with some kind of advice about SHOULD use mutual authentication when > any sensitive data is being retrieved or modified. > [Med] I don't think this is specific to this draft. This is a good point to discuss as part of the ongoing RFC8407bis effort in netmod [1]. I created an issue to record this at [2]. [1] https://mailarchive.ietf.org/arch/msg/netmod/Nv1oKU2qgg2Kdh0YyLaD6joR0ek/ [2] https://github.com/boucadair/rfc8407bis/issues/7 > A started to read some of the YANG definitions, but I defer to the > YANG Doctors. > > >From a security perspective, this is definitely READY. > > > > -- > last-call mailing list > last-call@xxxxxxxx > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > ietf.org%2Fmailman%2Flistinfo%2Flast- > call&data=05%7C01%7Cmohamed.boucadair%40orange.com%7Caa63af62a61e4fd68 > f0108dbc04d2557%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C638315209 > 790376618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIi > LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=85TFXOT5SQVnKn4Q0 > DwsOgv9JBvOrTJ%2BXd%2FM6uPTv1Y%3D&reserved=0 ____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
