PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols

Note: This ballot was opened for revision 22 and is now closed.

Barry Leiba Yes

(Pete Resnick) Yes

(Jari Arkko) No Objection

(Alia Atlas) No Objection

(Richard Barnes) No Objection

Alissa Cooper No Objection

(Spencer Dawkins) No Objection

Comment (2015-02-17 for -22)
No email
send info
A nit:
   b.  Comparing two output strings to determine if they equivalent,
       typically through octet-for-octet matching to test for "bit-	
       string identity" (e.g., to make an access decision for purposes	
       of authentication or authorization as further described in	

(Adrian Farrel) No Objection

(Stephen Farrell) No Objection

Comment (2015-02-19 for -22)
No email
send info
Last time this came around I had the comments below.
While Barry no longer has a DISCUSS, I'd still be 
interested in chatting a bit about these. (Apologies
that I've not had time to re-read the draft though, so
feel free to just tell me these comments are OBE if
that's the case.)

- I agree with Bary's discuss - it seems weird to not
have the initial registries in hand when the RFC is
being issued. People will, I guess, implement from
Appendix A here anyway, so why not either delete this
and get the registry in place, or else make Appendix A
be the initial registry content.

7.7: This uses the empty set, which is puzzling. I think
you mean that this set is to be populated by the DE in
the IANA registries but if so, saying so would be good.

10.5: This says that a) its all too hard but also b)
"Nevertheless, specifications for application protocols
that use this framework MUST describe how confusable
characters can be abused to compromise the security of
systems that use the protocol in question, along with any
protocol-specific suggestions for overcoming those
threats." That seems like a 6919 MUST (but we know you
won't) to me. Is that a good plan?

10.6: Prompted by the secdir review, it might be worth a
few words on password hashing, which is very common.  E.g.
say that the canonical form is input to hashing and
therefore just can't be mucked about with. (But say that

(Brian Haberman) No Objection

(Joel Jaeggli) No Objection

(Ted Lemon) No Objection

(Kathleen Moriarty) No Objection

Comment (2015-02-18 for -22)
No email
send info
Thanks for your work on this draft, it reads very well!

Thanks for addressing the prior SecDir review comments: