> Please see attached review. I'll counter-complain (see below) that you're the only GenART reviewer who sends reviews as attachments, and I find it a PitA.
> The draft was updated during Last Call, which I thought was not normal > practice. This review is of the updated draft, not the one that was Last > Called. I asked the authors to post it, so reviewers would be seeing the latest version. Now that we have the datatracker, this really should not be a problem, and as a reviewer I appreciate not reviewing a version with issues that others have already caught. > There is no explicit discussion of privacy in the draft, which seems to > me to carry evident privacy risks. For example, imagine an ISP that > kindly decides to support webfinger for all customers by default, > and preloads personally identifiable information without consent. There's quite a bit of discussion in the Security Considerations of personal information, revealing a user's current context, and so on. > There is some relevant text in the Security Considerations: Indeed. > However, the weakness there is the words "or implicitly". IANAL, but it > seems highly likely that would be illegal in the European Union, at least. And we are not lawyers either, and deployers in the EU will need to be well aware of EU laws. We shouldn't be telling them about those here. > Has the draft been validated against the guidelines in > draft-iab-privacy-considerations? That'd be the document that's not even in the RFC Editor queue yet? I don't know whether the authors have read that document; perhaps they can say. I did ask the authors to alert Alissa to this document, and to explicitly ask her to review it. Barry _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
