Last Call Review of draft-ietf-modern-problem-framework-03

Request Review of draft-ietf-modern-problem-framework
Requested rev. no specific revision (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-02-15
Requested 2018-02-01
Authors Jon Peterson, Tom McGarry
Draft last updated 2018-02-16
Completed reviews Genart Last Call review of -03 by Joel Halpern (diff)
Opsdir Last Call review of -03 by Linda Dunbar (diff)
Secdir Last Call review of -03 by Yoav Nir (diff)
Assignment Reviewer Yoav Nir
State Completed
Review review-ietf-modern-problem-framework-03-secdir-lc-nir-2018-02-16
Reviewed rev. 03 (document currently at 04)
Review result Has Nits
Review completed: 2018-02-16


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and others should treat these comments just like any other late last call comments.

The document is well-written although it uses a lot of jargon without defining it first. For example:

                         An increasing number of enterprises, over-the-
   top voice-over-IP (VoIP) providers
VoIP I understand. What is over-the-top? Since the target audience is IETF people who are more well-versed in telephony jargon than I am, this is probably fine. 

What I didn't like about this is the introduction in section 1. It reads like a marketing document rather than a technical one. For example:

   The challenges of utilizing telephone numbers (TNs) on the Internet
   have been known for some time.
It's only challenging if I want to use a TN on the Internet. Why do I want to do that?

   Thanks to the increasing sophistication of consumer mobile devices as
   Internet endpoints as well as telephones, users now associate TNs
   with many Internet applications other than telephony.
So because my phone is so sophisticated and has IP, I now associate phone numbers with Internet applications?  Why?

The Security Considerations section is fine, but I think this is one draft that should have privacy considerations either as a separate section or as a paragraph in the Security Considerations section. It should be called out that the administrative data often contains PII - real names and addresses of users and the usage of phone numbers as identifiers on the Internet allows for mapping these real names and addresses to transactions on the Internet.  I think this deserves a mention