Last Call Review of draft-hodges-webauthn-registries-05
review-hodges-webauthn-registries-05-genart-lc-kyzivat-2020-04-13-00

Request Review of draft-hodges-webauthn-registries
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2020-04-29
Requested 2020-04-01
Authors Jeff Hodges, Giridhar Mandyam, Michael Jones
Draft last updated 2020-04-13
Completed reviews Genart Last Call review of -05 by Paul Kyzivat (diff)
Secdir Last Call review of -05 by Hilarie Orman (diff)
Opsdir Last Call review of -05 by Sarah Banks (diff)
Genart Telechat review of -07 by Paul Kyzivat (diff)
Assignment Reviewer Paul Kyzivat
State Completed
Review review-hodges-webauthn-registries-05-genart-lc-kyzivat-2020-04-13
Posted at https://mailarchive.ietf.org/arch/msg/gen-art/9QVeshWi27KQEVEjoKPYaPBkOSU
Reviewed rev. 05 (document currently at 10)
Review result Ready with Issues
Review completed: 2020-04-13

Review
review-hodges-webauthn-registries-05-genart-lc-kyzivat-2020-04-13

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

Document: draft-hodges-webauthn-registries-05
Reviewer: Paul Kyzivat
Review Date: 2020-04-13
IETF LC End Date: 2020-04-29
IESG Telechat date: ?

Summary:

This draft is on the right track but has open issues, described in the 
review.

Issue: Additional registry fields defined by experts

Section 2 specifies that experts are allowed to define additional fields 
to be collected in the registry. It isn't clear to me how this is 
intended to work, or could work. Some concerns that come to mind are:

* Is this on a per-registration basis? Once a new field has been 
requested, must that field be retroactively added to all preexisting 
registrations and all future entries in the registry?

* How will someone who is consulting the registry discover the meaning 
of the new fields?

* Does IANA have procedures to handle this sort of modification to the 
registries?

ISTM that the "Notes" field can already be used for extra 
format-specific data. Adding additional fields that apply to all entries 
would be better served by a formal revision to the registry.

If you really want to preserve this ability for experts to add fields 
then you need to specify in great detail how this is to work, and verify 
with IANA that it is feasible.

Otherwise the document seems ready to go.