Last Call Review of draft-klensin-idna-rfc5891bis-05
review-klensin-idna-rfc5891bis-05-secdir-lc-wouters-2019-09-02-00

Request Review of draft-klensin-idna-rfc5891bis
Requested revision No specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2019-08-30
Requested 2019-08-02
Authors Dr. John C. Klensin , Asmus Freytag
I-D last updated 2019-09-02
Completed reviews Secdir Last Call review of -05 by Paul Wouters (diff)
Genart Last Call review of -04 by Vijay K. Gurbani (diff)
Assignment Reviewer Paul Wouters
State Completed
Request Last Call review on draft-klensin-idna-rfc5891bis by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/ZCydFPXyE2VxdFux2H28FIPaKgc
Reviewed revision 05 (document currently at 06)
Result Has nits
Completed 2019-09-02
review-klensin-idna-rfc5891bis-05-secdir-lc-wouters-2019-09-02-00
I have reviewed this document as part of the security directorate's  ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat  these comments just like any
other last call comments.

This document collects IDNA  information from Errata's, external information
such as ICANN, and some wisdom gathered since RFC 5891 was published and
presents this set of information for operations of domains to make their
domains more secure with respect to IDNA and its (ab)use.

The Security Section is a clear summary that states the operators should really
heed the advise of this document (and the documents references and updated)

Issue:

It seems the document asks for the IANA Consideration section to be removed.
Instead, it should keep the Section but use the text along the lines of  " This
document has no IANA actions.". This helps people who are looking through
various RFC's to find IANA considerations.

Minor issues:

I find the term "For-profit domain" very confusing as .pizza is a very much for
profit domain. Normally, the terms "Generic domain" and "Brand domain" although
I guess the latter is usually avoided in written text. While the term is
described to mean a Generic Domain, I think it would be better to use Generic
domain instead of For-profit domain.

  Registries choosing to make exceptions -- allow code points that
  recommendations such as the MSR do not allow -- should make such
  decisions only with great care and only if they have considerable
  understanding of, and great confidence in, their appropriateness.

This paragraph seems really to say "Registries SHOULD NOT make exceptions" and
seems a good place for some RFC 2119 wording.

I find the term "registry" in this document confusing, as it could refer to an
"IANA registry", "script registry" or  "domain registry". Perhaps always spell
this out to make the context clearer?  Or alternatively, perhaps introduce the
term Registry (with captial R)  and use that to refer to domain registries.

[ID.draft-klensin-idna-unicode-review] is in progress.  Its status
   should be checked in conjunction with application of the present
   specification.

I think this is meant as informational to the RFC Editor ? Perhaps these
documents should go out as a cluster?

Note I find some documents are references within [square brackets] but not all
of them, even some RFC's are in brackets and others are not. Please make this
consistent.

      The algorithm and rules of RFCs 5891 and 5892

missing xref's to the RFCs?

     registries SHOULD normally consult

Either use "SHOULD" or "normally", not both? It's a little odd.

   to fully satisfy the mandate set out above

Instead of mandate, which is a bit generic and confusing, why not refer to the
mentioned "IAB guidance", which I think it is referring to ?

    may provide useful guidance.

Remove the word "may"