Last Call Review of draft-ietf-calext-ical-relations-08
review-ietf-calext-ical-relations-08-secdir-lc-meadows-2021-10-26-00

This draft describes increases the expressive and scope of relationships that
can be defined in iCalendar.   It updates the already existing RELATED-TO by
allowing UID and URI as values and introduces a GAP parameter to specify the
length of time between two events.  It also introduces three new properties:
CONCEPT (roughly, category), LINK (typed reference to external meta-data or
related resources), and REFID(used to identify a key that identifies all
components that use that REFID).  The syntax of the relationships is given and
intended use cases are described.

The introduction of greater expressiveness does not by itself introduce
security considerations, but the introduction of references to external sources
does, specifically for URIs, which are allowed as arguments of  the RELATED-TO,
CONCEPT, and LINK properties. The authors of this document are aware of this,
and refer the reader to [RFC3986] for more information.  I agree that the
security considerations related to use of URIs proposed in this draft are
covered by this RFC.

I wonder though, if the document shouldn’t concern a similar warning about the
data type REFERENCE.  This refers to an XML document or a portion of an XML
document.  Since XML can also be used as an attack vector, a mention in the
Security Considerations Section would seem appropriate.