Last Call Review of draft-ietf-uta-email-deep-09

Request Review of draft-ietf-uta-email-deep
Requested rev. no specific revision (document currently at 12)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2017-10-13
Requested 2017-09-29
Authors Keith Moore, Chris Newman
Draft last updated 2017-10-16
Completed reviews Genart Last Call review of -09 by Roni Even (diff)
Opsdir Last Call review of -09 by Carlos Pignataro (diff)
Assignment Reviewer Carlos Pignataro
State Completed
Review review-ietf-uta-email-deep-09-opsdir-lc-pignataro-2017-10-16
Reviewed rev. 09 (document currently at 12)
Review result Has Nits
Review completed: 2017-10-16


I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments. 

Please find some review comments for your consideration, which I hope you find useful and clear.

Ready with Nits (or Minor Issues)

In general, this document seems to adequately cover the Operational areas listed in Appendix A of RFC 5706. Deployment, coexistence, migration, and defaults covered. One area that perhaps deserves more explicit mention of fault and error condition reporting and notification. Attributes such as indications to a user are useful tools in the context of this operational review.

Minor Issues and Nits:

I was fairly confused, which could be just an issue on my end, about the use of  lower and uppercase derivations of the word "recommend". For example, is this in the Intro non-normative? "In brief, this memo now recommends that:".
There is a total of 17 instances of "recommend" and two of "RECOMMEND". 

Idnits complains about:

   The specific means employed for deprecation of cleartext Mail Access
   Services and Mail Submission Services MAY vary from one MSP to the
   next in light of their user communities' needs and constraints. 

Does this MAY denote a requirement, or a statement of fact?

   Also, users previously authenticating with passwords sent as
   cleartext SHOULD be required to change those passwords when migrating
   to TLS, since the old passwords were likely to have been compromised.

How does the editor quantify the likelihood or otherwise extrapolates on passwords being compromised?

   All DNS records advertised by an MSP as a means of aiding clients in
   communicating with the MSP's servers, SHOULD be signed using DNSSEC.

As struggle a bit with finding this recommendation within scope, as set up in the Abstract of the document.

   o  MUAs SHOULD be configurable to require a minimum level of
      confidentiality for any particular Mail Account, and refuse to
      exchange information via any service associated with that Mail
      Account if the session does not provide that minimum level of
      confidentiality.  (See Section 5.2.)

Can this refusal to exchange information cause a user-experience black-hole? In other words, are there requirements for UI and logging of error conditions here?

   o  MUAs SHOULD provide a prominent visual indication of the level of
      confidentiality associated with an account configuration (for
      example, indications such as "lock" icons or changed background
      colors similar to those used by some browsers), at appropriate
      times and locations in order to inform the user of the
      confidentiality of the communications associated with that

Why are "visual" indications only required? And why color-based indication levels are exemplified only? These do not seem friendly to color-blind people, and not useful for visually impaired users, or interfaces that prioritize other channels. I'd generalize this, and exemplify with icons or colors or...

I hope you find these useful. 

Thank you,

-- Carlos Pignataro.