Ballot for draft-ietf-regext-ext-registry-epp
Discuss
Yes
No Objection
Recuse
No Record
Summary: Has 3 DISCUSSes. Needs one more YES or NO OBJECTION position to pass.
While I have divided my comments up into those I think are 'discuss worthy' and 'mere comments', I do believe all of my comments should be considered carefully. The goal of this process specification is to have a clear and concise set of instructions for those with submissions/changes to this registry and the DEs who will be doing the work to consider them. Many thanks to Tero Kivinen for their secdir review. I will also state that I agree with his points about: the status of the specification, the format of the references, the inclusion of '(or its future replacement)' - it should be deleted. Process specifications are not protocol documents. There is no reason to make it PS when BCP works just fine - and especially when BCP was working group consensus. (Even if there is one example process specification that is standards track, the vast majority are not.) Section 2.1, second para, last sentence: Why aren't Internet Drafts are not acceptable? Do they not meet the 'permanent and readily available' requirement? What if someone takes the contents of an I-D, posts it to a site that is considered 'permanent and readily available', can it be used then? This deviation from what is normally acceptable for 'specification required' needs to be explained. Section 2.1.1, para 2: Under what circumstances is it ok for a DE with a COI not defer? The SHOULD is currently naked, without rationale about when it is ok to ignore it. Section 2.2.3, para 1: How are requests to modify or deactivate registrations authenticated? Can anyone just masquerade as the POC make the request? Section 4: Consider how an unauthenticated attacker could disrupt this registry. Email addresses are super easy to spoof, what keeps this from happening to either modify or deactivate an entry?
Section 2, general comment: Remove all of the RFC 8126 text (you don't want to have to update this specification when that RFC gets replaced and yes, there is a 8126bis already), it adds no value, just makes it harder to maintain this specification. Section 2.2.1, Registrant name and email address: Wait, one can merely use IETF, and the IESG's email address? How will this work? Don't we really want a person who knows more about the registration? For some other registries, it is acceptable to use a working group name and email address (Mediatypes, for example). Section 2.2.3, para 2 and 3: This is incomprehensible. Registrations that were created w/ IETF and w/out IETF consensus can be approved by the IESG? But external registrations can just be summarily deactivated by the DEs? Section 5: I'm baffled by this section. This is a process specification, why are there operational considerations? Everything that exists in this section could be either moved elsewhere or removed. Para 1 belongs in Section 1, para 2 belongs in Section 2 with the rest of the DE instructions, para 3 can be removed.
Section 2.1.1, paragraph 1 > If the specification for an extension is an IETF Standards Track > document, no review is required by the designated expert. It appears that the author has already agreed to remove this paragraph from the document. This DISCUSS has been put in to track and make sure that it is addressed in the next version. As noted by the SECDIR reviewer (Tero Kivinen, May 28, 2026, thanks Tero), IANA normally requests a DE review regardless of RFC status. This sentence could be read as an instruction to IANA to skip that request, contrary to standard practice.
Section 2.1.1, paragraph 1 > The IESG should appoint a primary designated expert and a small > number of individuals (perhaps 3 - 5) to serve as backup designated > experts as described in Section 5.2 of [RFC8126]. The primary > designated expert is responsible for conducting all reviews requested > by IANA. The secondary designated experts are responsible for > conducting reviews as a consensus-based group if the primary > designated expert is unavailable. In cases where a registration > decision could be perceived as creating a conflict of interest for a > particular Designated Expert, that Expert SHOULD defer to the > judgment of the other Experts. The designated experts MUST use the > existing regext mailing list (regext@ietf.org) or its successor for > public discussion of registration requests. A SHOULD permits an expert with a perceived conflict of interest to decide not to recuse in the above paragraph. Conflict-of-interest provisions in governance contexts are typically mandatory. MUST would better reflect the intent. I support Éric Vyncke who made a similar ballot comment. Section 5, paragraph 1 > Section 2 includes provisions for modifying and deleting existing > registration entries by registrants. Such requests MUST NOT be > granted if the requested action has operational implication on other > entities that deploy that extension, assuming that those entities can > be identified. This guidance can be overridden if the requested > action MUST be taken to comply with actions that are beyond the > control of the experts and/or IANA, e.g., to comply with legal > actions. Note that the registry does not include a history mechanism > and there is no way to track deleted entries once they have been > removed. The second sentence in this paragraph makes the prohibition conditional: if affected parties cannot be identified, the constraint does not apply and the removal could proceed despite potential operational impact. If this is the intended policy, a brief rationale should be provided. If not, the language should be tightened. No reference entries found for these items, which were mentioned in the text: [RFC5730]. ------------------------------------------------------------------------------- NIT ------------------------------------------------------------------------------- All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. Section 1, paragraph 1 > RFCs 3735 [RFC3735] and 5730 RFC5730 do not describe how extension > development can be managed and coordinated. This has led to a > situation in which server operators can develop different extensions > to address similar needs, such as the provisioning of Value Added Tax > (VAT) information. Clients then need to support multiple extensions > that serve similar purposes, and interoperability suffers as a > result. s/RFC5730/[RFC5730]/ You are missing the square brackets. Section 2.1.1, paragraph 1 > Extensions should be evaluated for architectural soundness using the > guidelines described in RFC 3735 [RFC3735] (or its future > replacement, including the Security Considerations section of that > document. Expert evaluation should explicitly include consideration > of the privacy consequences of proposed extensions, and, at a > minimum, ensure that any privacy considerations are fully documented > in the relevant specification(s). s/(or its future replacement/(or its future replacement)/) You are missing the closing parenthesis.
** Section 2.1.1 The IESG should appoint a primary designated expert and a small number of individuals (perhaps 3 - 5) to serve as backup designated experts as described in Section 5.2 of [RFC8126]. The primary designated expert is responsible for conducting all reviews requested by IANA. The secondary designated experts are responsible for conducting reviews as a consensus-based group if the primary designated expert is unavailable. In cases where a registration decision could be perceived as creating a conflict of interest for a particular Designated Expert, that Expert SHOULD defer to the judgment of the other Experts. The designated experts MUST use the existing regext mailing list (regext@ietf.org) or its successor for public discussion of registration requests. This language above is a slight reinterpretation of Section 5.2, RFC8126. Is that really necessary as the following are underspecified: -- What is a “consensus-based group” (e.g., rough consensus, majority, unanimity) -- When should a DE NOT recuse if there is a COI? -- Is there a requirement being set on the IESG that it has to approved more than one DE here (as the language reads, the “IESG should …”)? ** Section 2.1.1 Should they decline to do so, perceived similarity SHOULD NOT be a sufficient reason for rejection as long as all other requirements are met. When is “perceived similarity” a sufficient reason to reject, as the guidance says similarity is sometimes adequate justification (since MUST NOT is not used)? ** Section 2.2.3 IESG Approval (Section 4.10 of [RFC8126]) is REQUIRED to remove or deactivate registrations created through IETF consensus. What does it mean to “deactivate” a registration?
** Section 2.1.1. Are these three statement providing unique normative guidance? The designated experts MUST use the existing regext mailing list (regext@ietf.org) or its successor for public discussion of registration requests. … The results of the evaluation MUST be shared via email with the registrant and the regext mailing list or its successor. … The designated experts MUST make an explicit decision and that decision MUST be shared via email with the registrant and the regext mailing list or its successor. ** Section 2.2.3 On receipt of a registration request, IANA will initiate review by the designated expert(s), who will evaluate the request using the criteria in Section 2.1.1 in consultation with the current working group mailing list focused on the development of EPP extensions if such working group exists. Why is this text needed. It is restating what IANA already does for “Specification Required”.
I support the DISCUSS from Mahesh. Regarding the considerations for the DE, I have a few additional comments. Section 2.2.1. Required Information "Name of Extension: A case-insensitive, ASCII text string that contains the name of the extension specification and does not overlap with an existing registered extension." Should checking that this requirement is met be added to the instructions to the DE?
Thanks to the author for the effort on the draft. Thanks to Tero for his SECDIR review. As Deb mentioned, the draft would improve taking the feedback into account. I support the discuss positions of Deb, Mahesh, and Roman.
Thanks for the work done in this document. The guidance for the Designated Experts is at an unusual location, but this is OK. # Section 2.1.1 Why not a "MUST" in `that Expert SHOULD defer to the judgment of the other Experts` ? I was about to ballot a blocking DISCUSS on this issue. # Section 3 Strongly suggest to add an informative URL for the newly created registry.
Thanks for the work done in this document. I did not see any transport protocol concerns.
Thanks to the author and the WG for this document. < moving this from DISCUSS to COMMENTS after Med's explanation during the telechat > I have a discussion point that should be trivial to address. This has got to do with the part that details about the IANA registries, format of requests, DE guidance, etc. should be under the IANA Considerations section per RFC8126. A trivial way to address this is to move all the content from under Section 2 into the IANA Considerations. I also have a few comments to offer: 1) Doesn't the following belong under DE guidance? An English language version of the extension specification MUST be referenced from the registry, though non- English versions of the specification may also be provided. Note that Section 2.1 of RFC 3735 [RFC3735] (or its future replacement) provides specific guidelines for documenting EPP extensions. 2) Regarding the following text: "For this registry, acceptable specifications include RFC documents and proprietary specifications that meet the "permanent and readily available" requirement described in Section 4.6 of [RFC8126]. Internet-Draft documents are not acceptable specifications for this registry." FYI - there is a 8126bis in the works that provides more flexibility in this matter (it is still work-in-progress). Please check https://www.ietf.org/archive/id/draft-ietf-ianabis-rfc8126bis-01.html#section-4.6.1.1 I am not suggesting that anything be changed though; just sharing in case this was not already known. 3) Regarding the following text: "If the specification for an extension is an IETF Standards Track document, no review is required by the designated expert." Is that "document" or more specifically "RFC"? I ask because I-Ds are not considered for allocation.