Hi Melinda, Thanks for the detailed review of the document. We have made the suggested updates below and incorporated the changes into the document at https://github.com/seitsu/registry-epp-maintenance/blob/master/draft-ietf-regext-epp-registry-maintenance.txt with an added reference to RFC 5730 regarding security considerations.
We will publish the document with additional changes after our AD requests publication. Please let us know if anything else is needed. Thanks, Jody Kolker. -----Original Message----- From: Melinda Shore via Datatracker <nore...@ietf.org> Sent: Sunday, August 8, 2021 10:29 PM To: sec...@ietf.org Cc: draft-ietf-regext-epp-registry-maintenance....@ietf.org; last-c...@ietf.org; regext@ietf.org Subject: Secdir last call review of draft-ietf-regext-epp-registry-maintenance-16 Caution: This email is from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe. Forward suspicious emails to isitbad@. Reviewer: Melinda Shore Review result: Has Issues The security considerations section is scanty - transport security is not described at all, nor is the question of defense against a malicious actor spoofing a server. It may be the case that there are, in fact, mitigations in common use but they are not spelled out in this draft nor in RFC 5730 (and I’ll be the first to admit that I may have missed something). Because of this I do have reservations about progressing the document towards publication. Section 3.3: Is it the case that if an element is not explicitly identified as optional, it’s mandatory? If that’s the case you may want to mention that in the first paragraph of this section Nits: There’s occasionally some unidiomatic English (for example, “The command mappings described here are specifically for the use to notify [ … ]” rather than, for example, “The command mappings described here are specifically used to notify [ … ]”, “The information on a [ … ]” rather than “The information about a [ … ], etc.), Section 1, first paragraph: It’s actually not very clear about what registries are informing registrars. It may be clearer to start with something along the lines of “Registries usually inform registrars of maintenance activities in different ways.” _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
