IETF Last Call Review of draft-ietf-scim-events-09
review-ietf-scim-events-09-dnsdir-lc-gieben-2025-09-18-00

Request Review of draft-ietf-scim-events
Requested revision No specific revision (document currently at 16)
Type IETF Last Call Review
Team DNS Directorate (dnsdir)
Deadline 2025-09-24
Requested 2025-09-10
Authors Phillip Hunt , Nancy Cam-Winget , Mike Kiser , Jen Schreiber
I-D last updated 2026-04-13 (Latest revision 2025-11-02)
Completed reviews Dnsdir IETF Last Call review of -09 by R. (Miek) Gieben (diff)
Genart IETF Last Call review of -10 by Elwyn B. Davies (diff)
Opsdir IETF Last Call review of -10 by Luigi Iannone (diff)
Artart IETF Last Call review of -09 by Shuping Peng (diff)
Assignment Reviewer R. (Miek) Gieben
State Completed
Request IETF Last Call review on draft-ietf-scim-events by DNS Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/dnsdir/i59V7ljO9D64XZksx7V8FV0P4lo
Reviewed revision 09 (document currently at 16)
Result Ready w/issues
Completed 2025-09-18
review-ietf-scim-events-09-dnsdir-lc-gieben-2025-09-18-00
Hello,

I was asked to review 'draft-ietf-scim-events' for DNSDIR because Section 4
mentions DNS-ID and DANE.

The line in question says:

   The client MUST perform a TLS/SSL server certificate check using DNS-ID
   [RFC6125] and/or DANE [RFC6698].

Several questions pop into my head while reading this:

- What happens if the two methods disagree?
- If none of them methods works, the client should ... abort (I guess, it's not
spelled out in that paragraph?) - Is this the only way to validate the server
cert? What if there is some off-line method, is that prohibited? Or any others?
- I'm slightly less familiar with DNS-ID, but for DANE you need to publish a
fairly precisely named record, what is that in this case? Maybe a similar
question can be asked for DNS-ID? - At least DANE requires DNSSEC, does that
make DNSSEC a requirement for scim?

These might all have good answers, but this one line in the draft makes it feel
a bit terse.

Kind regards,
Miek