Subject Identifiers for Security Event Tokens
draft-ietf-secevent-subject-identifiers-18

[Ballot comment]
Thanks for addressing my DISCUSS issue.

For the record, I also supported Eric V's DISCUSS position.

The shepherd writeup says this about controversy in the working group:

  "No controversy beyond the normal."

Beyond this resulting in a cynical chuckle, I don't actually know whether I should be worried here.

The shepherd writeup also says:

  "Again, two of the authors have been recently active, while one has not been in touch for a long time."

This doesn't bode well for an easy AUTH48.  Should we consider moving that person to an Acknowledgments or Contributors section?

In Section 3.1:

  "E.g., While the email Identifier Format declares [...]"

I don't think you can start a sentence with "E.g.,"; I suggest changing that to "For example".

In Section 3.2.1 (and elsewhere):

  "Subject Identifiers in this format MUST contain a uri member whose value [...]"

Please put quotes around "uri" when it's used this way.  This isn't necessary when it's used as an acronym, but it should be quoted when it's a string literal.  I suggest the same for "url", "iss", "sub", and others; they otherwise look like misspelled or partial words.  "did" is even worse because it actually is an English word.

In Section 3.2.2:

  "The value of the email member SHOULD identify a mailbox to which email may be delivered [...]"

I'm curious about this constraint:

(a) If the goal is to have event-related content be reliably deliverable, why isn't this a MUST?

(b) If you leave it SHOULD, what interoperability concern specific to security events is created if I use an email address that's not actually deliverable?

In Section 3.2.4:

  "The Opaque Identifier Format describes a subject that is identified with a string with no semantics asserted beyond its usage as an identifier for the subject, such as a UUID or hash used as a surrogate identifier for a record in a database."

This is curious; since UUID has a specific standard format (and you could sync up with the UUIDREV working group if you want the cutting edge version), why not declare an Identifier Format for it explicitly?

In Section 8.1.2:

  "Contact information such as mailing address, email address, or phone number may also be provided."

A name alone probably isn't helpful to IANA.  I suggest changing "may" to "must".

My original DISCUSS position was:

I'd like to elevate something Paul observed in his comment to DISCUSS.  In Section 3.2.2.1:

  "When receiving an Email Subject Identifier, the recipient SHOULD use their implementation's canonicalization algorithm to resolve the email address to the same string used in their system."

This only applies if the domain portion of the email address is one that the local system considers to be a local address, correct?  That is, if I'm "example.com" but I get an email address of some other domain, I shouldn't be applying canonicalization at all, correct?

And to echo Paul's question: Why isn't the mail system doing the canonicalization?  Or is the goal here just to tell if two slightly different local addresses are (likely) referring to the same recipient for some aggregation purpose?

My general concern here is that now the events implementation has to exactly mirror whatever canonicalization the mail system is doing, which might not be known, or would require duplication of effort, or could allow for configuration drift, etc.  None of these are showstoppers, but it seems like more prose around this is probably a good idea if we want to go this route.

[Ballot comment]
Thanks for addressing my DISCUSS points in https://mailarchive.ietf.org/arch/msg/id-event/xZOWRjkwpde0Mqlf6oi_Bj9LlQA/

Thanks to Roman to trigger my review of my previous ballot position, else I would still be sitting on it ;)

Usually, when a DISCUSS point is raised by an Area Director, this is to start a discussion (hence the name), but there was no discussion on my DISCUSS position. Unusual but OK.

Regards

-éric

[Ballot comment]
Thanks for addressing my DISCUSS points in https://mailarchive.ietf.org/arch/msg/id-event/xZOWRjkwpde0Mqlf6oi_Bj9LlQA/

Thanks to Roman to trigger my review of my previous ballot position, else I would still be sitting on it ;)

Usually, when a DISCUSS point is raised by an Area Director, this is to start a discussion (hence the name), but there was no discussion on my DISCUSS position. Unusual but OK.

-éric

[Ballot comment]
Thank you for the work on this document.

Many thanks to Paul Kyzivat for his ART ART review: https://mailarchive.ietf.org/arch/msg/art/3UoUPXy96ynW4msza41RfQqzsss/. I haven't seen any answer to Paul's review, which I think gives input for improvements and clarifications, so I would strongly encourage the authors to evaluate and respond to Paul's comments. Regarding Paul's 1st comment, I think that ship has sailed, so I would not insist on any change there.

Additionally, I was surprised to see the following statement in the expert guidelines:

> In the case where a request is rejected, the Expert Reviewer must provide the requesting party with a written statement expressing the reason for rejection, and be prepared to cite any sources of information that went into that decision.

Although I understand wanting to know the reasoning behind a rejection, I would not formulate this as a formal requirement on the experts.

Francesca

[Ballot discuss]
I'd like to elevate something Paul observed in his comment to DISCUSS.  In Section 3.2.2.1:

  "When receiving an Email Subject Identifier, the recipient SHOULD use their implementation's canonicalization algorithm to resolve the email address to the same string used in their system."

This only applies if the domain portion of the email address is one that the local system considers to be a local address, correct?  That is, if I'm "example.com" but I get an email address of some other domain, I shouldn't be applying canonicalization at all, correct?

And to echo Paul's question: Why isn't the mail system doing the canonicalization?  Or is the goal here just to tell if two slightly different local addresses are (likely) referring to the same recipient for some aggregation purpose?

My general concern here is that now the events implementation has to exactly mirror whatever canonicalization the mail system is doing, which might not be known, or would require duplication of effort, or could allow for configuration drift, etc.  None of these are showstoppers, but it seems like more prose around this is probably a good idea if we want to go this route.

[Ballot comment]
I support Eric V's DISCUSS position.

The shepherd writeup says this about controversy in the working group:

  "No controversy beyond the normal."

Beyond this resulting in a cynical chuckle, I don't actually know whether I should be worried here.

The shepherd writeup also says:

  "Again, two of the authors have been recently active, while one has not been in touch for a long time."

This doesn't bode well for an easy AUTH48.  Should we consider moving that person to an Acknowledgments or Contributors section?

In Section 3.1:

  "E.g., While the email Identifier Format declares [...]"

I don't think you can start a sentence with "E.g.,"; I suggest changing that to "For example".

In Section 3.2.1 (and elsewhere):

  "Subject Identifiers in this format MUST contain a uri member whose value [...]"

Please put quotes around "uri" when it's used this way.  This isn't necessary when it's used as an acronym, but it should be quoted when it's a string literal.  I suggest the same for "url", "iss", "sub", and others; they otherwise look like misspelled or partial words.  "did" is even worse because it actually is an English word.

In Section 3.2.2:

  "The value of the email member SHOULD identify a mailbox to which email may be delivered [...]"

I'm curious about this constraint:

(a) If the goal is to have event-related content be reliably deliverable, why isn't this a MUST?

(b) If you leave it SHOULD, what interoperability concern specific to security events is created if I use an email address that's not actually deliverable?

In Section 3.2.4:

  "The Opaque Identifier Format describes a subject that is identified with a string with no semantics asserted beyond its usage as an identifier for the subject, such as a UUID or hash used as a surrogate identifier for a record in a database."

This is curious; since UUID has a specific standard format (and you could sync up with the UUIDREV working group if you want the cutting edge version), why not declare an Identifier Format for it explicitly?

In Section 8.1.2:

  "Contact information such as mailing address, email address, or phone number may also be provided."

A name alone probably isn't helpful to IANA.  I suggest changing "may" to "must".

[Ballot discuss]

# Éric Vyncke, INT AD, comments for draft-ietf-secevent-subject-identifiers-16
CC @evyncke

Thank you for the work put into this document.

Please find below two blocking DISCUSS points (easy to address), some non-blocking COMMENT points (but replies would be appreciated even if only for my own education), and some nits.

Special thanks to Yaron Sheffer for the shepherd's detailed write-up including the WG consensus **but** without the justification of the intended status.

I hope that this review helps to improve the document,

Regards,

-éric


## DISCUSS

As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a DISCUSS ballot is a request to have a discussion on the following topics:

### BCP 14

Please use the right BCP14 template (including reference to RFC 8174)

### No subject identifier for addresses

Like Erik Kline: either suppress the "IP or MAC address" in section 1, or **much** better add subsection in 3.2 to handle MAC/IP addresses.

[Ballot comment]

## COMMENTS

### Section 1

Please explain what "iss" is in `JWT iss claim` ;-)

### Section 3

Isn't `Identifier Formats that are expected to be used broadly` a little vague ?

## NITS

### Section 3.2.2.1

s/the recipient SHOULD use their implementation/the recipients SHOULD use their implementation/ ?

### Section 3.2.6

s/MUST contain a url member/MUST contain a URL member/ and several other places where some acronyms should be in uppercase.

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues.

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments

[Ballot comment]
On Email Canonicalization:

        some providers treat the local part of the email address as
        case-insensitive as well, and consider "user@example.com",
        "User@example.com", and "USER@example.com" as the same email
        address.

"some" is an interesting word choice for "basically every implementation
currently deployed". More seriously, an example of where dots (".") are
optional would be a better example as there are actually servers which
do and which do not treat these as equivalent. Whereas for case sensitivity,
that ship sailed a decade ago. However, the overarching question is, why
should email canonicalization be done in the first place? Isn't that
better done at the receiver of the secevent? Or is that what is implied
in section 3.1 (as it doesnt talk about the producer or consumer at all)

In  8.2.1. Registry Contents, should the change controller be IETF, not IESG ?

NITS:

The layout in Section 4.1 makes it appear the Figure descriptions are above
the example instead of below it and makes things confusing. I'd recommend some
changes in whitespace / lines there.

8.1.3 Format Name: email is the only entry not using quotes (eg "email")

[Ballot comment]
Thanks for this very readable and thorough document. I have two minor comments.

- the BCP 14 boilerplate is supposed to (normatively) reference RFC 8174 as well as RFC 2119.
- “contain a uri members” -> “contain a uri member” (agreement in number)

[Ballot comment]
# GEN AD review of draft-ietf-secevent-subject-identifiers-15

CC @larseggert

Thanks to Christer Holmberg for the General Area Review Team (Gen-ART) review
(https://mailarchive.ietf.org/arch/msg/gen-art/OrPm6xTVtSfi6MlSGvJg4rpKusI).

## Comments

### Section 3.2.1, paragraph 0
```
  3.2.1.  Account Identifier Format
```
Would there be any reason to use URIs more generally when encoding these
identifiers, e.g., also for tel: (RFC3966) or mailto: (RFC2368)?

### Section 3.2.7, paragraph 0
```
  3.2.7.  Uniform Resource Identifier (URI) Format
```
Email addresses and phone numbers (and maybe other identifiers) can be encoded
per the sections above, and also as URIs - should something be said about this?
Is one preferred?

### Boilerplate

This document uses the RFC2119 keywords "SHOULD NOT", "SHALL NOT", "REQUIRED",
"MUST NOT", "RECOMMENDED", "OPTIONAL", "MUST", "SHOULD", "MAY", and "SHALL",
but does not contain the recommended RFC8174 boilerplate. (It contains a
variant of the RFC2119 boilerplate.)

## Nits

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

### URLs

These URLs in the document can probably be converted to HTTPS:

* http://openid.net/specs/openid-connect-core-1_0.html
* http://www.itu.int/rec/T-REC-E.164-201011-I/en
* http://www.iana.org/assignments/jwt

### Grammar/style

#### Section 1, paragraph 1
```
e others only have phone numbers. Therefore it can be necessary to indicate w
                                  ^^^^^^^^^
```
A comma may be missing after the conjunctive/linking adverb "Therefore".

#### Section 3, paragraph 3
```
ciated with that email address. Consequently Subject Identifiers remove ambig
                                ^^^^^^^^^^^^
```
A comma may be missing after the conjunctive/linking adverb "Consequently".

#### Section 8.1, paragraph 1
```
cription: Subject identifier based on an phone number. * Change Controller:
                                      ^^
```
Use "a" instead of "an" if the following word doesn't start with a vowel sound,
e.g. "a sentence", "a university".

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT].

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments
[IRT]: https://github.com/larseggert/ietf-reviewtool

[Ballot comment]

# Internet AD comments for draft-ietf-secevent-subject-identifiers-15
CC @ekline

## Comments

### S1

* IP addresses are listed as an example subject but section 3.2 does not
  have a dedicated format for them.  This is fine to exclude, of course,
  but I do think the inclusion here created an expectation there would be
  a format defined further down.

  ---

  IF a format is added for IP addresses and IF the member holding an
  address has string value type then the values should be REQUIRED to be
  in accordance with RFC 5952.

  (This kinda raises the issue of IP prefixes as well; again: it's fine with
  me to not specify anything about this in this document. :-)

Please review, respond and revised based on the feedback in the GENART and ARTART reviews.  A number are proposing areas of clarity.  A common feedback item in both is that a additional text describing a subject and subject id would be helpful.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-secevent-subject-identifiers-14. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there are two actions which we must complete.

First, a new registry is to be created called the Security Event Identifier Formats. The new registry will be added under the Security Event Token (SET) registry grouping located at:

https://www.iana.org/assignments/secevent

The new registry will be maintained via Specification Required as defined in RFC 8126. There are eight initial registrations in the new registry as follows:

Format Name: "account"
Format Description: Subject identifier based on acct URI.
Change Controller: IETF
Reference: [ RFC-to-be ]

Format Name: "email"
Format Description: Subject identifier based on email address.
Change Controller: IETF
Reference: [ RFC-to-be ]

Format Name: "iss_sub"
Format Description: Subject identifier based on an issuer and subject.
Change Controller: IETF
Reference: [ RFC-to-be ]

Format Name: "opaque"
Format Description: Subject identifier based on an opaque string.
Change Controller: IETF
Reference: [ RFC-to-be ]

Format Name: "phone_number"
Format Description: Subject identifier based on an phone number.
Change Controller: IETF
Reference: [ RFC-to-be ]

Format Name: "did"
Format Description: Subject identifier based on a decentralized identifier (DID).
Change Controller: IETF
Reference: [ RFC-to-be ]

Format Name: "uri"
Format Description: Subject identifier based on a uniform resource identifier (URI).
Change Controller: IETF
Reference: [ RFC-to-be ]

Format Name: "aliases"
Format Description: Subject identifier that groups together multiple different subject identifiers for the same subject.
Change Controller: IETF
Reference: [ RFC-to-be ]

Second, in the JSON Web Token Claims registry on the JSON Web Token (JWT) registry page located at:

https://www.iana.org/assignments/jwt

a new registration will be made as follows:

Claim Name: "sub_id"
Claim Description: Subject Identifier
Change Controller: IESG
Reference: [ RFC-to-be ]

As this document requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

The IANA Functions Operator understands that these are the only actions required to be completed upon approval of this document.

Would it be acceptable to list the IETF as the change controller for the JSON Web Token (JWT) registration instead of the IESG? There has been a preference for doing so, as described in the expired document at https://datatracker.ietf.org/doc/html/draft-leiba-ietf-iana-registrations-00, but it hasn\u2019t been recorded in a permanent document yet.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Specialist

The following Last Call announcement was sent out (ends 2022-11-17):

From: The IESG
To: IETF-Announce
CC: draft-ietf-secevent-subject-identifiers@ietf.org, id-event@ietf.org, rdd@cert.org, secevent-chairs@ietf.org, yaronf.ietf@gmail.com
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Subject Identifiers for Security Event Tokens) to Proposed Standard


The IESG has received a request from the Security Events WG (secevent) to
consider the following document: - 'Subject Identifiers for Security Event
Tokens'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2022-11-17. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  Security events communicated within Security Event Tokens may support
  a variety of identifiers to identify subjects related to the event.
  This specification formalizes the notion of subject identifiers as
  structured information that describe a subject, and named formats
  that define the syntax and semantics for encoding subject identifiers
  as JSON objects.  It also defines a registry for defining and
  allocating names for such formats, as well as the sub_id JSON Web
  Token (JWT) claim.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-secevent-subject-identifiers/



No IPR declarations have been submitted directly on this I-D.

# Document Shepherd Write-Up

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

There was previously WG consensus, but the WG has been dormant for a long time.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

No controversy beyond the normal.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

No extreme discontent.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

There are multiple implementations. For example, this is a dependency of the GNAP protocol.

### Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

This is a dependency of GNAP, and GNAP participants have been involved in the latter development stages of this draft.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

N/A.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

N/A.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

N/A.

### Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

Yes to all.

10. Several IETF Areas have assembled [lists of common issues that their
  reviewers encounter][6]. For which areas have such issues been identified
  and addressed? For which does this still need to happen in subsequent
  reviews?

I have reviewed the SEC list and nothing much applies to this draft.

11. What type of RFC publication is being requested on the IETF stream ([Best
  Current Practice][12], [Proposed Standard, Internet Standard][13],
  [Informational, Experimental or Historic][14])? Why is this the proper type
  of RFC? Do all Datatracker state attributes correctly reflect this intent?

Proposed Standard, and I agree this is the appropriate type of publication.

12. Have reasonable efforts been made to remind all authors of the intellectual
  property rights (IPR) disclosure obligations described in [BCP 79][8]? To
  the best of your knowledge, have all required disclosures been filed? If
  not, explain why. If yes, summarize any relevant discussion, including links
  to publicly-available messages when applicable.

Yes, as far as I'm aware there is no IPR associated with the draft. Specifically, this has been confirmed by two of the authors (Annabelle and Prachi) but I have not received a response from the third (Marius).

13. Has each author, editor, and contributor shown their willingness to be
  listed as such? If the total number of authors and editors on the front page
  is greater than five, please provide a justification.

Again, two of the authors have been recently active, while one has not been in touch for a long time.

14. Document any remaining I-D nits in this document. Simply running the [idnits
  tool][8] is not enough; please review the ["Content Guidelines" on
  authors.ietf.org][15]. (Also note that the current idnits tool generates
  some incorrect warnings; a rewrite is underway.)

* The reference to the definition of JSON is to RFC 7159 instead of the newer RFC 8259.
* A few example phone numbers do not follow the [guidelines](https://authors.ietf.org/example-addresses).

15. Should any informative references be normative or vice-versa? See the [IESG
  Statement on Normative and Informative References][16].

The references are classified correctly. Two non-IETF normative references (to E.164 numbering and to Distributed Identifiers) are in my opinion stable.

16. List any normative references that are not freely available to anyone. Did
  the community have sufficient access to review any such normative
  references?

None.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
  97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
  list them.

No.

18. Are there normative references to documents that are not ready to be
  submitted to the IESG for publication or are otherwise in an unclear state?
  If so, what is the plan for their completion?

No.

19. Will publication of this document change the status of any existing RFCs? If
  so, does the Datatracker metadata correctly reflect this and are those RFCs
  listed on the title page, in the abstract, and discussed in the
  introduction? If not, explain why and point to the part of the document
  where the relationship of this document to these other RFCs is discussed.

No such RFCs.

20. Describe the document shepherd's review of the IANA considerations section,
  especially with regard to its consistency with the body of the document.
  Confirm that all aspects of the document requiring IANA assignments are
  associated with the appropriate reservations in IANA registries. Confirm
  that any referenced IANA registries have been clearly identified. Confirm
  that each newly created IANA registry specifies its initial contents,
  allocations procedures, and a reasonable name (see [RFC 8126][11]).

The IANA Considerations section is complete and very clear.

21. List any new IANA registries that require Designated Expert Review for
  future allocations. Are the instructions to the Designated Expert clear?
  Please include suggestions of designated experts, if appropriate.

The only registry defined requires a Designated Expert and provides reasonable instructions.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/

# Document Shepherd Write-Up

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

There was previously WG consensus, but the WG has been dormant for a long time.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

No controversy beyond the normal.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

No extreme discontent.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

There are multiple implementations. For example, this is a dependency of the GNAP protocol.

### Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

This is a dependency of GNAP, and GNAP participants have been involved in the latter development stages of this draft.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

N/A.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

N/A.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

N/A.

### Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

Yes to all.

10. Several IETF Areas have assembled [lists of common issues that their
  reviewers encounter][6]. For which areas have such issues been identified
  and addressed? For which does this still need to happen in subsequent
  reviews?

I have reviewed the SEC list and nothing much applies to this draft.

11. What type of RFC publication is being requested on the IETF stream ([Best
  Current Practice][12], [Proposed Standard, Internet Standard][13],
  [Informational, Experimental or Historic][14])? Why is this the proper type
  of RFC? Do all Datatracker state attributes correctly reflect this intent?

Proposed Standard, and I agree this is the appropriate type of publication.

12. Have reasonable efforts been made to remind all authors of the intellectual
  property rights (IPR) disclosure obligations described in [BCP 79][8]? To
  the best of your knowledge, have all required disclosures been filed? If
  not, explain why. If yes, summarize any relevant discussion, including links
  to publicly-available messages when applicable.

Yes, as far as I'm aware there is no IPR associated with the draft. Specifically, this has been confirmed by two of the authors (Annabelle and Prachi) but I have not received a response from the third (Marius).

13. Has each author, editor, and contributor shown their willingness to be
  listed as such? If the total number of authors and editors on the front page
  is greater than five, please provide a justification.

Again, two of the authors have been recently active, while one has not been in touch for a long time.

14. Document any remaining I-D nits in this document. Simply running the [idnits
  tool][8] is not enough; please review the ["Content Guidelines" on
  authors.ietf.org][15]. (Also note that the current idnits tool generates
  some incorrect warnings; a rewrite is underway.)

* The reference to the definition of JSON is to RFC 7159 instead of the newer RFC 8259.
* A few example phone numbers do not follow the [guidelines](https://authors.ietf.org/example-addresses).

15. Should any informative references be normative or vice-versa? See the [IESG
  Statement on Normative and Informative References][16].

The references are classified correctly. Two non-IETF normative references (to E.164 numbering and to Distributed Identifiers) are in my opinion stable.

16. List any normative references that are not freely available to anyone. Did
  the community have sufficient access to review any such normative
  references?

None.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
  97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
  list them.

No.

18. Are there normative references to documents that are not ready to be
  submitted to the IESG for publication or are otherwise in an unclear state?
  If so, what is the plan for their completion?

No.

19. Will publication of this document change the status of any existing RFCs? If
  so, does the Datatracker metadata correctly reflect this and are those RFCs
  listed on the title page, in the abstract, and discussed in the
  introduction? If not, explain why and point to the part of the document
  where the relationship of this document to these other RFCs is discussed.

No such RFCs.

20. Describe the document shepherd's review of the IANA considerations section,
  especially with regard to its consistency with the body of the document.
  Confirm that all aspects of the document requiring IANA assignments are
  associated with the appropriate reservations in IANA registries. Confirm
  that any referenced IANA registries have been clearly identified. Confirm
  that each newly created IANA registry specifies its initial contents,
  allocations procedures, and a reasonable name (see [RFC 8126][11]).

The IANA Considerations section is complete and very clear.

21. List any new IANA registries that require Designated Expert Review for
  future allocations. Are the instructions to the Designated Expert clear?
  Please include suggestions of designated experts, if appropriate.

The only registry defined requires a Designated Expert and provides reasonable instructions.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/