Last Call Review of draft-ietf-geojson-02
review-ietf-geojson-02-secdir-lc-shore-2016-05-26-00

Request Review of draft-ietf-geojson
Requested rev. no specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-05-31
Requested 2016-05-19
Draft last updated 2016-05-26
Completed reviews Genart Last Call review of -02 by Meral Shirazipour (diff)
Secdir Last Call review of -02 by Melinda Shore (diff)
Assignment Reviewer Melinda Shore
State Completed
Review review-ietf-geojson-02-secdir-lc-shore-2016-05-26
Reviewed rev. 02 (document currently at 04)
Review result Has Issues
Review completed: 2016-05-26

Review
review-ietf-geojson-02-secdir-lc-shore-2016-05-26

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

(note: I was assigned the -02 revision of the document, but the -03
version was just issued and I am reviewing that).

Summary: this document is ready, with minor issues

This document describes a JSON format for representing geospatial
data.  It recommends a single coordinate reference system and does
not appear to be readily extensible to other coordinate reference
systems, but I'll assume that this has been addressed and resolved
by the responsible AD, etc. if it's actually a problem.

The security considerations section is brief and refers the reader
to the core JSON specification.  The second paragraph of the
security considerations sections may have minor issues in that it
says "if sensitive data requires privacy or integrity protection the
service must be provided externally."  It may be appropriate, and
provide additional clarity, to distinguish between protection of
data in flight and data at rest (the IETF does not typically deal
with protection of the latter).  It may be sufficient to make the
word "externally" go away and replace it with something more specific -
for example,
    "if sensitive data require privacy or integrity protection
    those must be provided by the transport, for example TLS or
    HTTPS."

Otherwise, looks ready.

Melinda