Last Call Review of draft-ietf-idnabis-tables-
review-ietf-idnabis-tables-secdir-lc-kelly-2009-10-22-00

Request Review of draft-ietf-idnabis-tables
Requested rev. no specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2009-10-13
Requested 2009-09-30
Draft last updated 2009-10-22
Completed reviews Secdir Last Call review of -?? by Scott Kelly
Secdir Telechat review of -?? by Scott Kelly
Assignment Reviewer Scott Kelly
State Completed
Review review-ietf-idnabis-tables-secdir-lc-kelly-2009-10-22
Review completed: 2009-10-22

Review
review-ietf-idnabis-tables-secdir-lc-kelly-2009-10-22

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
 These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these
comments just like any other last call comments.

The document specifies rules for deciding whether a code point should be
included in an Internationalized Domain Name. It's a member of a
4-document group, and as Paul pointed out in a related review, should be
considered as such.

The security considerations section consists of one sentence:

"The security issues associated with this work are discussed in
[IDNA2008-protocol]."

Following that link to the protocol document's security considerations
section:

"Security Considerations for this version of IDNA, except for the
special issues associated with right to left and characters, are
described in [IDNA2008-Defs].  Specific issues for labels containing
characters associated with scripts written right to left appear in
[IDNA2008-BIDI]."

The security considerations in those two documents (especially the
protocol document) do seem to cover the issues, although like Sam, I
don't feel qualified to definitively state this, and so I think the
security ADs should pay some attention to this collection of documents.

Editorially, one might consider removing the reference indirection and
pointing the reader directly at [IDNA2008-Defs] and [IDNA2008-BIDI].

--Scott