[Last-Call] Opsdir last call review of draft-hodges-webauthn-registries-05

Sarah Banks via Datatracker <noreply@ietf.org> Tue, 28 April 2020 17:41 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Sarah Banks via Datatracker <noreply@ietf.org>
To: ops-dir@ietf.org
Cc: last-call@ietf.org, draft-hodges-webauthn-registries.all@ietf.org
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <158809569895.24036.8131068505152887145@ietfa.amsl.com>
Reply-To: Sarah Banks <sbanks@encrypted.net>
Date: Tue, 28 Apr 2020 10:41:39 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/YYMlKTL1sWKQwLhjJC5sl4p2Vuk>
Subject: [Last-Call] Opsdir last call review of draft-hodges-webauthn-registries-05

Reviewer: Sarah Banks
Review result: Has Issues

Hello,
     I too share the concerns the GENART reviewer does. In addition, a few
     things:

1. As a personal nit, I'm slightly annoyed as a reader that the draft defines
the registries, but another doc has the default values. Just ann FYI, and I
realize this is a style choice. 2. In section 2.1, it states: "Each attestation
statement format identifier added to this registry MUST be unique amongst the
set of registered attestation statement format identifiers.", and that they are
case sensitive. Did you really intend to allow a conceptual overload where a
string of "string" and "STRING" would be allowed? 3. In a few spots it's
written (see 2.2.2 for example): " As noted in Section 2.2.1, WebAuthn
extension identifiers are registered using the Specification Required policy,
implying review  and approval by a designated expert.". Implied doesn't seem to
be normative. Given the follow on text here, did you explictly NOT want to make
this a normative requirement?

Thanks,
Sarah

[Last-Call] Opsdir last call review of draft-hodg… Sarah Banks via Datatracker
Re: [Last-Call] Opsdir last call review of draft-… Benjamin Kaduk
Re: [Last-Call] Opsdir last call review of draft-… Mike Jones