Roman Danyliw has entered the following ballot position for draft-ietf-regext-rdap-partial-response-13: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-partial-response/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ** Section 2.1. Can a server return multiple entries in the availableFieldSets area with default=TRUE? Probably not. Should something be said to that effect? ** Section 4. Per ‘Fields included in the "brief" and "full" field set responses MUST take into account the user's access and authorization levels’, would there be circumstances where the “id” field set should also take into account the user’s access and authorization level? Section 8 noted that “RDAP operators can vary the information returned in RDAP responses based on a client's access and authorization levels.” My thinking is that if a given client’s access level would result in particular fields being removed, then perhaps they shouldn’t have been listed in the with the “id” field list to begin with. ** Section 8. A search query typically requires more server resources (such as memory, CPU cycles, and network bandwidth) when compared to a lookup query. This increases the risk of server resource exhaustion and subsequent denial of service due to abuse. This risk can be mitigated by supporting the return of partial responses combined with other strategies ... I do not follow how partial responses provide denial of service mitigation when the attack is intentional. Wouldn’t the attacker continue to request full queries given the choice between loading the server with a subset vs. full query? Or is this text saying that because of the use of partial responses the server would have more capacity and this would enable it to better result a denial service? ** Editorial: -- Section 1. Editorial. s/fewer data/less data/ _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
