Ballot for draft-ietf-regext-ext-registry-epp
Discuss
Yes
No Objection
Recuse
No Record
Summary: Has 2 DISCUSSes. Has enough positions to pass once DISCUSS positions are resolved.
While I have divided my comments up into those I think are 'discuss worthy' and 'mere comments', I do believe all of my comments should be considered carefully. The goal of this process specification is to have a clear and concise set of instructions for those with submissions/changes to this registry and the DEs who will be doing the work to consider them. Many thanks to Tero Kivinen for their secdir review. I will also state that I agree with his points about: the status of the specification, the format of the references, the inclusion of '(or its future replacement)' - it should be deleted. Process specifications are not protocol documents. There is no reason to make it PS when BCP works just fine - and especially when BCP was working group consensus. (Even if there is one example process specification that is standards track, the vast majority are not.) Section 2.1, second para, last sentence: Why aren't Internet Drafts are not acceptable? Do they not meet the 'permanent and readily available' requirement? What if someone takes the contents of an I-D, posts it to a site that is considered 'permanent and readily available', can it be used then? This deviation from what is normally acceptable for 'specification required' needs to be explained. Section 2.1.1, para 2: Under what circumstances is it ok for a DE with a COI not defer? The SHOULD is currently naked, without rationale about when it is ok to ignore it. Section 2.2.3, para 1: How are requests to modify or deactivate registrations authenticated? Can anyone just masquerade as the POC make the request? Section 4: Consider how an unauthenticated attacker could disrupt this registry. Email addresses are super easy to spoof, what keeps this from happening to either modify or deactivate an entry?
Section 2, general comment: Remove all of the RFC 8126 text (you don't want to have to update this specification when that RFC gets replaced and yes, there is a 8126bis already), it adds no value, just makes it harder to maintain this specification. Section 2.2.1, Registrant name and email address: Wait, one can merely use IETF, and the IESG's email address? How will this work? Don't we really want a person who knows more about the registration? For some other registries, it is acceptable to use a working group name and email address (Mediatypes, for example). Section 2.2.3, para 2 and 3: This is incomprehensible. Registrations that were created w/ IETF and w/out IETF consensus can be approved by the IESG? But external registrations can just be summarily deactivated by the DEs? Section 5: I'm baffled by this section. This is a process specification, why are there operational considerations? Everything that exists in this section could be either moved elsewhere or removed. Para 1 belongs in Section 1, para 2 belongs in Section 2 with the rest of the DE instructions, para 3 can be removed.
** Section 2.1.1 The IESG should appoint a primary designated expert and a small number of individuals (perhaps 3 - 5) to serve as backup designated experts as described in Section 5.2 of [RFC8126]. The primary designated expert is responsible for conducting all reviews requested by IANA. The secondary designated experts are responsible for conducting reviews as a consensus-based group if the primary designated expert is unavailable. In cases where a registration decision could be perceived as creating a conflict of interest for a particular Designated Expert, that Expert SHOULD defer to the judgment of the other Experts. The designated experts MUST use the existing regext mailing list (regext@ietf.org) or its successor for public discussion of registration requests. This language above is a slight reinterpretation of Section 5.2, RFC8126. Is that really necessary as the following are underspecified: -- What is a “consensus-based group” (e.g., rough consensus, majority, unanimity) -- When should a DE NOT recuse if there is a COI? -- Is there a requirement being set on the IESG that it has to approved more than one DE here (as the language reads, the “IESG should …”)? ** Section 2.1.1 Should they decline to do so, perceived similarity SHOULD NOT be a sufficient reason for rejection as long as all other requirements are met. When is “perceived similarity” a sufficient reason to reject, as the guidance says similarity is sometimes adequate justification (since MUST NOT is not used)? ** Section 2.2.3 IESG Approval (Section 4.10 of [RFC8126]) is REQUIRED to remove or deactivate registrations created through IETF consensus. What does it mean to “deactivate” a registration?
** Section 2.1.1. Are these three statement providing unique normative guidance? The designated experts MUST use the existing regext mailing list (regext@ietf.org) or its successor for public discussion of registration requests. … The results of the evaluation MUST be shared via email with the registrant and the regext mailing list or its successor. … The designated experts MUST make an explicit decision and that decision MUST be shared via email with the registrant and the regext mailing list or its successor. ** Section 2.2.3 On receipt of a registration request, IANA will initiate review by the designated expert(s), who will evaluate the request using the criteria in Section 2.1.1 in consultation with the current working group mailing list focused on the development of EPP extensions if such working group exists. Why is this text needed. It is restating what IANA already does for “Specification Required”.
I support the DISCUSS from Mahesh. Regarding the considerations for the DE, I have a few additional comments. Section 2.2.1. Required Information "Name of Extension: A case-insensitive, ASCII text string that contains the name of the extension specification and does not overlap with an existing registered extension." Should checking that this requirement is met be added to the instructions to the DE?
Thanks to the author for the effort on the draft. Thanks to Tero for his SECDIR review. As Deb mentioned, the draft would improve taking the feedback into account. I support the discuss positions of Deb, Mahesh, and Roman.
Thanks for the work done in this document. The guidance for the Designated Experts is at an unusual location, but this is OK. # Section 2.1.1 Why not a "MUST" in `that Expert SHOULD defer to the judgment of the other Experts` ? I was about to ballot a blocking DISCUSS on this issue. # Section 3 Strongly suggest to add an informative URL for the newly created registry.
Thanks for the work done in this document. I did not see any transport protocol concerns.
Thanks to the author and the WG for this document. < moving this from DISCUSS to COMMENTS after Med's explanation during the telechat > I have a discussion point that should be trivial to address. This has got to do with the part that details about the IANA registries, format of requests, DE guidance, etc. should be under the IANA Considerations section per RFC8126. A trivial way to address this is to move all the content from under Section 2 into the IANA Considerations. I also have a few comments to offer: 1) Doesn't the following belong under DE guidance? An English language version of the extension specification MUST be referenced from the registry, though non- English versions of the specification may also be provided. Note that Section 2.1 of RFC 3735 [RFC3735] (or its future replacement) provides specific guidelines for documenting EPP extensions. 2) Regarding the following text: "For this registry, acceptable specifications include RFC documents and proprietary specifications that meet the "permanent and readily available" requirement described in Section 4.6 of [RFC8126]. Internet-Draft documents are not acceptable specifications for this registry." FYI - there is a 8126bis in the works that provides more flexibility in this matter (it is still work-in-progress). Please check https://www.ietf.org/archive/id/draft-ietf-ianabis-rfc8126bis-01.html#section-4.6.1.1 I am not suggesting that anything be changed though; just sharing in case this was not already known. 3) Regarding the following text: "If the specification for an extension is an IETF Standards Track document, no review is required by the designated expert." Is that "document" or more specifically "RFC"? I ask because I-Ds are not considered for allocation.
Thanks to the author for addressing my DISCUSS comment.