Last Call Review of draft-ietf-appsawg-webfinger-11
review-ietf-appsawg-webfinger-11-genart-lc-carpenter-2013-03-16-00
| Request | Review of | draft-ietf-appsawg-webfinger |
|---|---|---|
| Requested revision | No specific revision (document currently at 18) | |
| Type | Last Call Review | |
| Team | General Area Review Team (Gen-ART) (genart) | |
| Deadline | 2013-03-18 | |
| Requested | 2013-03-07 | |
| Authors | Paul Jones , Gonzalo Salgueiro , Michael Jones , Joseph Smarr | |
| Draft last updated | 2013-03-16 | |
| Completed reviews |
Genart Last Call review of -11
by
Brian E. Carpenter
(diff)
Genart Telechat review of -12 by Brian E. Carpenter (diff) |
|
| Assignment | Reviewer | Brian E. Carpenter |
| State | Completed | |
| Review |
review-ietf-appsawg-webfinger-11-genart-lc-carpenter-2013-03-16
|
|
| Reviewed revision | 11 (document currently at 18) | |
| Result | Ready with Issues | |
| Completed | 2013-03-16 |
review-ietf-appsawg-webfinger-11-genart-lc-carpenter-2013-03-16-00
Please see attached review.
Brian
I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
<
http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Please resolve these comments along with any other Last Call comments
you may receive.
Document: draft-ietf-appsawg-webfinger-11.txt
Reviewer: Brian Carpenter
Review Date: 2013-03-16
IETF LC End Date: 2013-03-18
IESG Telechat date: 2013-03-28
Summary: In good shape, one big question
--------
Comments:
---------
The draft was updated during Last Call, which I thought was not normal practice.
This review is of the updated draft, not the one that was Last Called.
Technically, the draft looks very good as far as my knowledge goes.
Major Issues:
-------------
There is no explicit discussion of privacy in the draft, which seems to
me to carry evident privacy risks. For example, imagine an ISP that
kindly decides to support webfinger for all customers by default,
and preloads personally identifiable information without consent.
There is some relevant text in the Security Considerations:
Further, WebFinger MUST NOT be used to provide any personal
information to any party unless explicitly or implicitly authorized
by the person whose information is being shared.
However, the weakness there is the words "or implicitly". IANAL, but it
seems highly likely that would be illegal in the European Union, at least.
Has the draft been validated against the guidelines in draft-iab-privacy-considerations?