Last Call Review of draft-ietf-jmap-contacts-06
review-ietf-jmap-contacts-06-secdir-lc-sahib-2024-04-03-00

Section 1.4
This section says "This document defines two additional capability URIs." but
AFAICT it's only one i.e. urn:ietf:params:jmap:contacts

Section 2
Why does description property not have any restrictions unlike the name
property?

In general, it's a bit confusing which properties are mandatory and which are
optional: sometimes it's pretty obvious (id and name), and sometimes it's not
(sortOrder). I would highly recommend explicitly labelling all properties as
either mandatory (and then defining what the possible values are), or optional
(similar, but also with a sensible default).

Looks like Principal is missing a reference to
https://datatracker.ietf.org/doc/html/draft-ietf-jmap-sharing-06.

mayDelete property in AddressBookRights is confusing, since I first thought it
means the ability to delete ContactCards since that's what mayRead and mayWrite
mention.

Section 5
The Security Considerations section needs to address the fact that a user query
which uses filtering/sorting is basically untrusted input and recommend how to
sanitize and treat the input. It should at the very least point to RFC 8620
security guidance around parsing JSON input.