Last Call Review of draft-ietf-jmap-contacts-06
review-ietf-jmap-contacts-06-secdir-lc-sahib-2024-04-03-00
| Request | Review of | draft-ietf-jmap-contacts |
|---|---|---|
| Requested revision | No specific revision (document currently at 10) | |
| Type | IETF Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2024-04-04 | |
| Requested | 2024-03-20 | |
| Authors | Neil Jenkins | |
| I-D last updated | 2024-12-18 (Latest revision 2024-06-06) | |
| Completed reviews |
Secdir IETF Last Call review of -06
by Shivan Kaul Sahib
(diff)
Artart Telechat review of -09 by Tim Bray (diff) Opsdir IETF Last Call review of -06 by Linda Dunbar (diff) Artart IETF Last Call review of -06 by Tim Bray (diff) Genart IETF Last Call review of -06 by Meral Shirazipour (diff) |
|
| Assignment | Reviewer | Shivan Kaul Sahib |
| State | Completed | |
| Request | IETF Last Call review on draft-ietf-jmap-contacts by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/UwcfaC7FvlweVnSb3nDJiRu5cTY | |
| Reviewed revision | 06 (document currently at 10) | |
| Result | Has issues | |
| Completed | 2024-04-03 |
review-ietf-jmap-contacts-06-secdir-lc-sahib-2024-04-03-00
Section 1.4 This section says "This document defines two additional capability URIs." but AFAICT it's only one i.e. urn:ietf:params:jmap:contacts Section 2 Why does description property not have any restrictions unlike the name property? In general, it's a bit confusing which properties are mandatory and which are optional: sometimes it's pretty obvious (id and name), and sometimes it's not (sortOrder). I would highly recommend explicitly labelling all properties as either mandatory (and then defining what the possible values are), or optional (similar, but also with a sensible default). Looks like Principal is missing a reference to https://datatracker.ietf.org/doc/html/draft-ietf-jmap-sharing-06. mayDelete property in AddressBookRights is confusing, since I first thought it means the ability to delete ContactCards since that's what mayRead and mayWrite mention. Section 5 The Security Considerations section needs to address the fact that a user query which uses filtering/sorting is basically untrusted input and recommend how to sanitize and treat the input. It should at the very least point to RFC 8620 security guidance around parsing JSON input.