Last Call Review of draft-hodges-webauthn-registries-05
review-hodges-webauthn-registries-05-opsdir-lc-banks-2020-04-28-00
Request | Review of | draft-hodges-webauthn-registries |
---|---|---|
Requested revision | No specific revision (document currently at 10) | |
Type | Last Call Review | |
Team | Ops Directorate (opsdir) | |
Deadline | 2020-04-29 | |
Requested | 2020-04-01 | |
Authors | Jeff Hodges , Giridhar Mandyam , Michael B. Jones | |
I-D last updated | 2020-04-28 | |
Completed reviews |
Genart Last Call review of -05
by Paul Kyzivat
(diff)
Secdir Last Call review of -05 by Hilarie Orman (diff) Opsdir Last Call review of -05 by Sarah Banks (diff) Genart Telechat review of -07 by Paul Kyzivat (diff) |
|
Assignment | Reviewer | Sarah Banks |
State | Completed | |
Request | Last Call review on draft-hodges-webauthn-registries by Ops Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/ops-dir/kuNqFLJfe72n2gu8Qsd3bSHUflc | |
Reviewed revision | 05 (document currently at 10) | |
Result | Has issues | |
Completed | 2020-04-28 |
review-hodges-webauthn-registries-05-opsdir-lc-banks-2020-04-28-00
Hello, I too share the concerns the GENART reviewer does. In addition, a few things: 1. As a personal nit, I'm slightly annoyed as a reader that the draft defines the registries, but another doc has the default values. Just ann FYI, and I realize this is a style choice. 2. In section 2.1, it states: "Each attestation statement format identifier added to this registry MUST be unique amongst the set of registered attestation statement format identifiers.", and that they are case sensitive. Did you really intend to allow a conceptual overload where a string of "string" and "STRING" would be allowed? 3. In a few spots it's written (see 2.2.2 for example): " As noted in Section 2.2.1, WebAuthn extension identifiers are registered using the Specification Required policy, implying review and approval by a designated expert.". Implied doesn't seem to be normative. Given the follow on text here, did you explictly NOT want to make this a normative requirement? Thanks, Sarah