Last Call Review of draft-ietf-repute-query-http-09
review-ietf-repute-query-http-09-secdir-lc-emery-2013-08-22-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This internet-draft describes a protocol for querying reputation data
via HTTP.  The first part of the protocol retrieves a template that will subsequently
be used as the basis for a URI, which in turn is used to retrieve the reputation
information.

The security considerations section does exist and acknowledges that the base
protocol for retrieving URIs is insecure as well as the retrieval of reputation
data.  The section refers to the URI template and well-known URI RFCs for further
discussions of template exchange security issues and makes an informative reference
to the repute considerations draft for the reputation retrieval.  However, none of the
referenced RFCs and draft directly talk about the various attacks and how to mitigate
against said attacks.  I would suggest a direct reference if such a document exists.

General comments:

None.

Editorial comments:

s/comprise the/comprise of the/

s/explicitly support support/explicitly support/

s/until finds one/until the client finds one/

Shawn.
--