[regext] Secdir last call review of draft-ietf-regext-rdap-reverse-search-23
Reviewer: Tero Kivinen Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes the reverse search method for RDAP protocol. It does include implementation considerations, privacy considerations in addition security considerations, which do list number of issues that the implementations need to solve. Including limiting number of resources returned, protecting Personally Identifiable Information, and methods of doing authentication. It does require HTTPS because of the privacy concerns, but authentication and authorization is only SHOULD: In general, given the sensitivity of this functionality, it SHOULD be accessible to authorized users only, and for specific use cases only. This SHOULD does not list reason when it would be ok to provide this information without authorization. I would assume one such use case would be when there is no PII or sensitive information in the database... ___ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
Re: [regext] Proposed update to draft-ietf-regext-epp-eai
Dear Arnt, On Sun, 6 Aug 2023, 13:39 Arnt Gulbrandsen, wrote: > Thursday, 3 August 2023 20:14:41 CEST writes: > > On Thu, Aug 3, 2023 at 1:23 PM Gould, James wrote: > >> > >> So, rollback to draft-ietf-regext-epp-eai-17 with the concept > >> of a transition period removed and inclusion of "at least one > >> of the email values MUST be an ASCII address"? > > > > Doesn't that put us back to requiring two email addresses to support EAI? > > > > I was thinking that "if more than one email value is provided, one > > MUST be an ASCII address". Therefore the options are: > > 1) provide an ASCII email address. > > 2) provide an SMTPUTF8 email address. > > 3) provide both > > There is, of course, the possibility of a hack... "At least one of the > contact addresses MUST be an ASCII address. This restriction may be lifted > in a future revision of this document." > > > The draft will still need text such as provided by Arnt to justify > option 2. > > > > And I agree with removing the transition period. > > I'll be happy to provide suitable text. Massaging what I wrote to fit the > context. > It would be great, many thanks in advance! ___ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
