Last Call Review of draft-ietf-jmap-contacts-06
review-ietf-jmap-contacts-06-secdir-lc-sahib-2024-04-03-00
Request | Review of | draft-ietf-jmap-contacts |
---|---|---|
Requested revision | No specific revision (document currently at 10) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2024-04-04 | |
Requested | 2024-03-20 | |
Authors | Neil Jenkins | |
I-D last updated | 2024-04-03 | |
Completed reviews |
Secdir Last Call review of -06
by Shivan Kaul Sahib
(diff)
Artart Telechat review of -09 by Tim Bray (diff) Opsdir Last Call review of -06 by Linda Dunbar (diff) Artart Last Call review of -06 by Tim Bray (diff) Genart Last Call review of -06 by Meral Shirazipour (diff) |
|
Assignment | Reviewer | Shivan Kaul Sahib |
State | Completed | |
Request | Last Call review on draft-ietf-jmap-contacts by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/UwcfaC7FvlweVnSb3nDJiRu5cTY | |
Reviewed revision | 06 (document currently at 10) | |
Result | Has issues | |
Completed | 2024-04-03 |
review-ietf-jmap-contacts-06-secdir-lc-sahib-2024-04-03-00
Section 1.4 This section says "This document defines two additional capability URIs." but AFAICT it's only one i.e. urn:ietf:params:jmap:contacts Section 2 Why does description property not have any restrictions unlike the name property? In general, it's a bit confusing which properties are mandatory and which are optional: sometimes it's pretty obvious (id and name), and sometimes it's not (sortOrder). I would highly recommend explicitly labelling all properties as either mandatory (and then defining what the possible values are), or optional (similar, but also with a sensible default). Looks like Principal is missing a reference to https://datatracker.ietf.org/doc/html/draft-ietf-jmap-sharing-06. mayDelete property in AddressBookRights is confusing, since I first thought it means the ability to delete ContactCards since that's what mayRead and mayWrite mention. Section 5 The Security Considerations section needs to address the fact that a user query which uses filtering/sorting is basically untrusted input and recommend how to sanitize and treat the input. It should at the very least point to RFC 8620 security guidance around parsing JSON input.