Last Call Review of draft-hodges-webauthn-registries-05
review-hodges-webauthn-registries-05-opsdir-lc-banks-2020-04-28-00

Request Review of draft-hodges-webauthn-registries
Requested revision No specific revision (document currently at 10)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2020-04-29
Requested 2020-04-01
Authors Jeff Hodges , Giridhar Mandyam , Michael B. Jones
I-D last updated 2020-04-28
Completed reviews Genart Last Call review of -05 by Paul Kyzivat (diff)
Secdir Last Call review of -05 by Hilarie Orman (diff)
Opsdir Last Call review of -05 by Sarah Banks (diff)
Genart Telechat review of -07 by Paul Kyzivat (diff)
Assignment Reviewer Sarah Banks
State Completed
Request Last Call review on draft-hodges-webauthn-registries by Ops Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/ops-dir/kuNqFLJfe72n2gu8Qsd3bSHUflc
Reviewed revision 05 (document currently at 10)
Result Has issues
Completed 2020-04-28
review-hodges-webauthn-registries-05-opsdir-lc-banks-2020-04-28-00
Hello,
     I too share the concerns the GENART reviewer does. In addition, a few
     things:

1. As a personal nit, I'm slightly annoyed as a reader that the draft defines
the registries, but another doc has the default values. Just ann FYI, and I
realize this is a style choice. 2. In section 2.1, it states: "Each attestation
statement format identifier added to this registry MUST be unique amongst the
set of registered attestation statement format identifiers.", and that they are
case sensitive. Did you really intend to allow a conceptual overload where a
string of "string" and "STRING" would be allowed? 3. In a few spots it's
written (see 2.2.2 for example): " As noted in Section 2.2.1, WebAuthn
extension identifiers are registered using the Specification Required policy,
implying review  and approval by a designated expert.". Implied doesn't seem to
be normative. Given the follow on text here, did you explictly NOT want to make
this a normative requirement?

Thanks,
Sarah