Last Call Review of draft-ietf-regext-epp-registry-maintenance-16
review-ietf-regext-epp-registry-maintenance-16-secdir-lc-shore-2021-08-08-00
| Request | Review of | draft-ietf-regext-epp-registry-maintenance |
|---|---|---|
| Requested revision | No specific revision (document currently at 19) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2021-08-11 | |
| Requested | 2021-07-28 | |
| Authors | Tobias Sattler , Roger Carney , Jody Kolker | |
| I-D last updated | 2021-08-08 | |
| Completed reviews |
Secdir Last Call review of -16
by Melinda Shore
(diff)
Artart Last Call review of -17 by Harald T. Alvestrand (diff) Opsdir Telechat review of -17 by Joe Clarke (diff) Intdir Telechat review of -19 by Benno Overeinder |
|
| Assignment | Reviewer | Melinda Shore |
| State | Completed | |
| Request | Last Call review on draft-ietf-regext-epp-registry-maintenance by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/xIVSfexNbqMnTCcExoLZSzbCz54 | |
| Reviewed revision | 16 (document currently at 19) | |
| Result | Has issues | |
| Completed | 2021-08-08 |
review-ietf-regext-epp-registry-maintenance-16-secdir-lc-shore-2021-08-08-00
The security considerations section is scanty - transport security is not described at all, nor is the question of defense against a malicious actor spoofing a server. It may be the case that there are, in fact, mitigations in common use but they are not spelled out in this draft nor in RFC 5730 (and I’ll be the first to admit that I may have missed something). Because of this I do have reservations about progressing the document towards publication. Section 3.3: Is it the case that if an element is not explicitly identified as optional, it’s mandatory? If that’s the case you may want to mention that in the first paragraph of this section Nits: There’s occasionally some unidiomatic English (for example, “The command mappings described here are specifically for the use to notify [ … ]” rather than, for example, “The command mappings described here are specifically used to notify [ … ]”, “The information on a [ … ]” rather than “The information about a [ … ], etc.), Section 1, first paragraph: It’s actually not very clear about what registries are informing registrars. It may be clearer to start with something along the lines of “Registries usually inform registrars of maintenance activities in different ways.”