Skip to main content

Last Call Review of draft-ietf-appsawg-webfinger-11
review-ietf-appsawg-webfinger-11-genart-lc-carpenter-2013-03-16-00

Request Review of draft-ietf-appsawg-webfinger
Requested revision No specific revision (document currently at 18)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2013-03-18
Requested 2013-03-07
Authors Paul Jones , Gonzalo Salgueiro , Michael B. Jones , Joseph Smarr
I-D last updated 2013-03-16
Completed reviews Genart Last Call review of -11 by Brian E. Carpenter (diff)
Genart Telechat review of -12 by Brian E. Carpenter (diff)
Assignment Reviewer Brian E. Carpenter
State Completed
Request Last Call review on draft-ietf-appsawg-webfinger by General Area Review Team (Gen-ART) Assigned
Reviewed revision 11 (document currently at 18)
Result Ready w/issues
Completed 2013-03-16
review-ietf-appsawg-webfinger-11-genart-lc-carpenter-2013-03-16-00
Please see attached review.

     Brian





I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
<

http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-appsawg-webfinger-11.txt
Reviewer: Brian Carpenter
Review Date: 2013-03-16
IETF LC End Date: 2013-03-18
IESG Telechat date: 2013-03-28

Summary:  In good shape, one big question
--------

Comments:
---------

The draft was updated during Last Call, which I thought was not normal practice.
This review is of the updated draft, not the one that was Last Called.

Technically, the draft looks very good as far as my knowledge goes.

Major Issues:  
-------------

There is no explicit discussion of privacy in the draft, which seems to
me to carry evident privacy risks. For example, imagine an ISP that
kindly decides to support webfinger for all customers by default,
and preloads personally identifiable information without consent.

There is some relevant text in the Security Considerations:

   Further, WebFinger MUST NOT be used to provide any personal
   information to any party unless explicitly or implicitly authorized
   by the person whose information is being shared.

However, the weakness there is the words "or implicitly". IANAL, but it
seems highly likely that would be illegal in the European Union, at least.

Has the draft been validated against the guidelines in draft-iab-privacy-considerations?