[regext] Opsdir last call review of draft-ietf-regext-rdap-partial-response-13

Joel Jaeggli via Datatracker <noreply@ietf.org> Sat, 15 August 2020 22:50 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: regext@ietf.org
Delivered-To: regext@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C1B373A0AA1; Sat, 15 Aug 2020 15:50:07 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Joel Jaeggli via Datatracker <noreply@ietf.org>
To: <ops-dir@ietf.org>
Cc: last-call@ietf.org, draft-ietf-regext-rdap-partial-response.all@ietf.org, regext@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.14.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <159753180775.5002.17443008189580020542@ietfa.amsl.com>
Reply-To: Joel Jaeggli <joelja@bogus.com>
Date: Sat, 15 Aug 2020 15:50:07 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/B2CgcunWJe-tZF9N6iIRXLiOjic>
Subject: [regext] Opsdir last call review of draft-ietf-regext-rdap-partial-response-13
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Aug 2020 22:50:08 -0000

Reviewer: Joel Jaeggli
Review result: Ready

I have reviewed this document on behalf of the the operations directorate.

This document appears ready.

I would observe that the document describes fairly wide latitude with respect
to what a server could do with with this facility, yet it's largely posed as
facility for the client to reduce the data returned to it. A client that is
authorized asking for less data then it is authorized for poses no real
challenges however if s the document described one uses authorization level to
determine what to include in the partial response the implementations need to
be careful about how the implement such a control to prevent information
leakage (what fielsd are omitted could tell you significant things about your
authorization level for example. These server implementation  considerations
seem outside the scope of this document, and client requests for limited fields
in a result don't have this property.