Last Call Review of draft-ietf-radext-nai-10
review-ietf-radext-nai-10-secdir-lc-nir-2014-11-20-00

Request Review of draft-ietf-radext-nai
Requested rev. no specific revision (document currently at 15)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-11-14
Requested 2014-11-06
Other Reviews Opsdir Last Call review of -10 by Mehmet Ersue (diff)
Review State Completed
Reviewer Yoav Nir
Review review-ietf-radext-nai-10-secdir-lc-nir-2014-11-20
Posted at https://www.ietf.org/mail-archive/web/secdir/current/msg05239.html
Reviewed rev. 10 (document currently at 15)
Review result Ready
Draft last updated 2014-11-20
Review completed: 2014-11-20

Review
review-ietf-radext-nai-10-secdir-lc-nir-2014-11-20

I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  Document editors and WG chairs should treat these comments just

like any other last call comments.

Summary: Document is ready.

Some nits:

In section 2.6:

   Conversion to Unicode as well as normalization SHOULD be performed by
   edge systems such as laptops that take "local" text as input.  These
   edge systems are best suited to determine the users intent, and can
   best convert from "local" text to a normalized form.

I think it’s weird to use “laptop” here, as the luggability plays no part. “PC” would be better. In fact, I don’t think mobile phones are any different in this respect.

The same section says that Edge systems should normalize text, so AAA systems should not. It then goes on to say that today edge systems don’t always normalize text, so the AAA systems should. That’s a strange way to move forward, unless we’re sure that double-normalization does not cause problems.

The security considerations text is copied from RFC 4282. It still seems sufficient. This is remarkable considering that privacy is a big part of it, and privacy was not a hot topic on everyone’s mind in 2005 when RFC 4282 was written.

Yoav