[secdir] Secdir last call review of draft-ietf-capport-api-07
Robert Sparks via Datatracker <noreply@ietf.org> Thu, 30 April 2020 15:00 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8169A3A0B25; Thu, 30 Apr 2020 08:00:14 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Robert Sparks via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-capport-api.all@ietf.org, captive-portals@ietf.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.128.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <158825881446.11261.3022047238117789821@ietfa.amsl.com>
Reply-To: Robert Sparks <rjsparks@nostrum.com>
Date: Thu, 30 Apr 2020 08:00:14 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/84jkwXHbMyWwwAhLfrN66UFqwlQ>
Subject: [secdir] Secdir last call review of draft-ietf-capport-api-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2020 15:00:20 -0000
Reviewer: Robert Sparks Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document is ready for publication as Proposed Standard RFC. The document defines an HTTP json-based API for clients to use with a captive portal API server. Discovery of the API server URL is defined in other capport documents. Connection to the server uses TLS. Server authentication SHOULD use OCSP stapling, and the network SHOULD provide permit connection to NTP servers (or other time-sync mechanisms). The security considerations section calls out the potential risk of look-alike characters being used in the server domain name to mislead the user of the client of this API.
- [secdir] Secdir last call review of draft-ietf-ca… Robert Sparks via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Barry Leiba
- Re: [secdir] Secdir last call review of draft-iet… Benjamin Kaduk