Skip to main content

Last Call Review of draft-ietf-capport-api-07
review-ietf-capport-api-07-secdir-lc-sparks-2020-04-30-00

Request Review of draft-ietf-capport-api
Requested revision No specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-05-11
Requested 2020-04-27
Authors Tommy Pauly , Darshak Thakore
Draft last updated 2020-04-30
Completed reviews Secdir Last Call review of -07 by Robert Sparks (diff)
Genart Last Call review of -07 by Brian E. Carpenter (diff)
Opsdir Last Call review of -07 by Linda Dunbar (diff)
Assignment Reviewer Robert Sparks
State Completed
Review review-ietf-capport-api-07-secdir-lc-sparks-2020-04-30
Posted at https://mailarchive.ietf.org/arch/msg/secdir/84jkwXHbMyWwwAhLfrN66UFqwlQ
Reviewed revision 07 (document currently at 08)
Result Ready
Completed 2020-04-30
review-ietf-capport-api-07-secdir-lc-sparks-2020-04-30-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

This document is ready for publication as Proposed Standard RFC.

The document defines an HTTP json-based API for clients to use with a captive
portal API server. Discovery of the API server URL is defined in other capport
documents. Connection to the server uses TLS. Server authentication SHOULD use
OCSP stapling, and the network SHOULD provide permit connection to NTP servers
(or other time-sync mechanisms). The security considerations section calls out
the potential risk of look-alike characters being used in the server domain
name to mislead the user of the client of this API.