Skip to main content

Last Call Review of draft-ietf-scim-cursor-pagination-02
review-ietf-scim-cursor-pagination-02-secdir-lc-leiba-2023-11-16-00

Request Review of draft-ietf-scim-cursor-pagination-02
Requested revision 02 (document currently at 04)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2023-12-08
Requested 2023-11-09
Requested by Nancy Cam-Winget
Authors Danny Zollner , Anjali Sehgal
I-D last updated 2023-11-16
Completed reviews Genart Last Call review of -02 by Roni Even (diff)
Secdir Last Call review of -02 by Barry Leiba (diff)
Httpdir Early review of -00 by Julian Reschke (diff)
Comments
We have recieved and addressed the working group last call comments and would like some of the relevant directorates to also chime in to this last call as we do the shepherd writeup as well.
Assignment Reviewer Barry Leiba
State Completed
Request Last Call review on draft-ietf-scim-cursor-pagination by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/EFKN-CggLeBBUPCL0aI2m8XRJd8
Reviewed revision 02 (document currently at 04)
Result Serious Issues
Completed 2023-11-16
review-ietf-scim-cursor-pagination-02-secdir-lc-leiba-2023-11-16-00
Two fatal errors here:
This document lacks required Security Considerations and IANA Considerations
sections.  It can’t proceed without them, and I can’t review the document
properly from a security standpoint without the former.

Other comments:

In the Abstract and Introduction, a nit:
“is already well established” should not be hyphenated, as it’s not a modifier
(whereas “a well-established pagination pattern” is correctly hyphenated).

— Section 2 —

   The following table describes the URL pagination parameters requests
   for using cursor-based pagination:

I think the word “requests” is extra and should be removed (or perhaps “using”
should be replaced by “requesting”).

In the second table you say “Use of previousCursor is OPTIONAL.”  That seems to
say that using it in a subsequent request is optional, which is already said in
the previous sentence.  I think this one should say, “Returning previousCursor
is OPTIONAL.”

— Section 2.3 —
This seems to make this not backward compatible: a client that doesn’t support
this won’t know what to do with the nextCursor parameter and will likely not
work correctly.  Is it not worth making that clear in the text?