Roman Danyliw has entered the following ballot position for draft-ietf-regext-epp-registry-maintenance-17: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-regext-epp-registry-maintenance/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Melinda Shore for the SECDIR review. ** Section 7. "If a client queries for a maintenance identifier, per Section 4.1.3.1 "Info Maintenance Item", that it is not authorized to access, the server MUST return an EPP error result code of 2201 [RFC5730]." Should this be softened to give a server the flexibility to alternatively return a 2303 error ("Object does not exist") so the existence of a maintenance updates would remain unknown to unauthorized users? If not, this (likely minor) risk of leaking the existence of maintenance windows should be noted. ** Section 7. These could be read as conflicting. (a) Section 7. “a server MUST only provide maintenance information for clients that are authorized.” (b) Later in Section 7. “The list of top-level domains or registry zones returned in the "Info Maintenance Item" response SHOULD be filtered based on the top-level domains or registry zones the client is authorized.” (a) seems to say that a client must only get the information for which it is authorized, but (b) suggests that this filtering for those TLD/zones to restrict it only to authorized clients is only a should. _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
