Re: [secdir] Secdir last call review of draft-ietf-ecrit-location-profile-registry-policy-01

Hi Linda,

Thank you for reviewing the document.  After the discussion, do you 
still have any questions or do you feel there is any ambiguity that 
needs to be resolved?

--Randall

On 16 Mar 2021, at 9:34, Linda Dunbar via Datatracker wrote:

> Reviewer: Linda Dunbar
> Review result: Not Ready
>
> I have reviewed this document as part of the security directorate's 
> ongoing
> effort to review all IETF documents being processed by the IESG.  
> These
> comments were written primarily for the benefit of the security area 
> directors.
>  Document editors and WG chairs should treat these comments just like 
> any other
>   last call comments.
>
> This document doesn't seem to be complete. The document claims that it 
> changes
> the policy of the Location-to-Service Translation (LoST) Location 
> Profile
> registry from Standards Action to Specification Required, but it 
> doesn't
> specify what is the new procedure.  It says allowing other SDOs to 
> change or
> add values. But which SDOs are allowed? Are there any procedures to 
> identify
> which SDOs are legitimate? can any organizations, say XYZ, change, add 
> or
> delete the values?
>
> Best Regards,
> Linda Dunbar

On 16 Mar 2021, at 9:34, Linda Dunbar via Datatracker wrote:

> Reviewer: Linda Dunbar
> Review result: Not Ready
>
> I have reviewed this document as part of the security directorate's 
> ongoing
> effort to review all IETF documents being processed by the IESG.  
> These
> comments were written primarily for the benefit of the security area 
> directors.
>  Document editors and WG chairs should treat these comments just like 
> any other
>   last call comments.
>
> This document doesn't seem to be complete. The document claims that it 
> changes
> the policy of the Location-to-Service Translation (LoST) Location 
> Profile
> registry from Standards Action to Specification Required, but it 
> doesn't
> specify what is the new procedure.  It says allowing other SDOs to 
> change or
> add values. But which SDOs are allowed? Are there any procedures to 
> identify
> which SDOs are legitimate? can any organizations, say XYZ, change, add 
> or
> delete the values?
>
> Best Regards,
> Linda Dunbar
>
>
>
> _______________________________________________
> Ecrit mailing list
> Ecrit@ietf.org
> https://www.ietf.org/mailman/listinfo/ecrit

On 16 Mar 2021, at 9:34, Linda Dunbar via Datatracker wrote:

> Reviewer: Linda Dunbar
> Review result: Not Ready
>
> I have reviewed this document as part of the security directorate's 
> ongoing
> effort to review all IETF documents being processed by the IESG.  
> These
> comments were written primarily for the benefit of the security area 
> directors.
>  Document editors and WG chairs should treat these comments just like 
> any other
>   last call comments.
>
> This document doesn't seem to be complete. The document claims that it 
> changes
> the policy of the Location-to-Service Translation (LoST) Location 
> Profile
> registry from Standards Action to Specification Required, but it 
> doesn't
> specify what is the new procedure.  It says allowing other SDOs to 
> change or
> add values. But which SDOs are allowed? Are there any procedures to 
> identify
> which SDOs are legitimate? can any organizations, say XYZ, change, add 
> or
> delete the values?
>
> Best Regards,
> Linda Dunbar
>
>
>
> -- 
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call

On 16 Mar 2021, at 9:45, Murray S. Kucherawy wrote:

> Hi Linda, thanks for your review.  Comments below.
>
> On Tue, Mar 16, 2021 at 9:34 AM Linda Dunbar via Datatracker <
> noreply@ietf.org> wrote:
>
>> This document doesn't seem to be complete. The document claims that 
>> it
>> changes
>> the policy of the Location-to-Service Translation (LoST) Location 
>> Profile
>> registry from Standards Action to Specification Required, but it 
>> doesn't
>> specify what is the new procedure.  It says allowing other SDOs to 
>> change
>> or
>> add values. But which SDOs are allowed? Are there any procedures to
>> identify
>> which SDOs are legitimate? can any organizations, say XYZ, change, 
>> add or
>> delete the values?
>>
>
> Specification Required is defined in RFC 8162.  The IESG will be 
> tasked
> with appointing a designated expert (DE) to review registration 
> requests
> against the published specification.  The DE will have discretion to
> determine whether an application should be accepted.  The document 
> contains
> no guidance about particular SDOs, so the DE is left to decide whether 
> to
> factor the source into the approval or rejection of the request.
>
> So any SDO can make a request to update the registry.  The DE makes 
> the
> call about "legitimate".
>
> -MSK

On 16 Mar 2021, at 9:45, Murray S. Kucherawy wrote:

> Hi Linda, thanks for your review.  Comments below.
>
> On Tue, Mar 16, 2021 at 9:34 AM Linda Dunbar via Datatracker <
> noreply@ietf.org> wrote:
>
>> This document doesn't seem to be complete. The document claims that 
>> it
>> changes
>> the policy of the Location-to-Service Translation (LoST) Location 
>> Profile
>> registry from Standards Action to Specification Required, but it 
>> doesn't
>> specify what is the new procedure.  It says allowing other SDOs to 
>> change
>> or
>> add values. But which SDOs are allowed? Are there any procedures to
>> identify
>> which SDOs are legitimate? can any organizations, say XYZ, change, 
>> add or
>> delete the values?
>>
>
> Specification Required is defined in RFC 8162.  The IESG will be 
> tasked
> with appointing a designated expert (DE) to review registration 
> requests
> against the published specification.  The DE will have discretion to
> determine whether an application should be accepted.  The document 
> contains
> no guidance about particular SDOs, so the DE is left to decide whether 
> to
> factor the source into the approval or rejection of the request.
>
> So any SDO can make a request to update the registry.  The DE makes 
> the
> call about "legitimate".
>
> -MSK

> _______________________________________________
> Ecrit mailing list
> Ecrit@ietf.org
> https://www.ietf.org/mailman/listinfo/ecrit

On 16 Mar 2021, at 9:45, Murray S. Kucherawy wrote:

> Hi Linda, thanks for your review.  Comments below.
>
> On Tue, Mar 16, 2021 at 9:34 AM Linda Dunbar via Datatracker <
> noreply@ietf.org> wrote:
>
>> This document doesn't seem to be complete. The document claims that 
>> it
>> changes
>> the policy of the Location-to-Service Translation (LoST) Location 
>> Profile
>> registry from Standards Action to Specification Required, but it 
>> doesn't
>> specify what is the new procedure.  It says allowing other SDOs to 
>> change
>> or
>> add values. But which SDOs are allowed? Are there any procedures to
>> identify
>> which SDOs are legitimate? can any organizations, say XYZ, change, 
>> add or
>> delete the values?
>>
>
> Specification Required is defined in RFC 8162.  The IESG will be 
> tasked
> with appointing a designated expert (DE) to review registration 
> requests
> against the published specification.  The DE will have discretion to
> determine whether an application should be accepted.  The document 
> contains
> no guidance about particular SDOs, so the DE is left to decide whether 
> to
> factor the source into the approval or rejection of the request.
>
> So any SDO can make a request to update the registry.  The DE makes 
> the
> call about "legitimate".
>
> -MSK

> -- 
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call

On 16 Mar 2021, at 10:12, Linda Dunbar wrote:

> Murray,
>
> Then why need this document?
> Isn’t it already the practice that “The IESG will be tasked with 
> appointing a designated expert (DE) to review registration requests 
> against the published specification”?
>
> Linda
>
> From: Murray S. Kucherawy <superuser@gmail.com>
> Sent: Tuesday, March 16, 2021 11:46 AM
> To: Linda Dunbar <linda.dunbar@futurewei.com>
> Cc: secdir@ietf.org; 
> draft-ietf-ecrit-location-profile-registry-policy.all@ietf.org; 
> ecrit@ietf.org; last-call@ietf.org
> Subject: Re: Secdir last call review of 
> draft-ietf-ecrit-location-profile-registry-policy-01
>
> Hi Linda, thanks for your review.  Comments below.
>
> On Tue, Mar 16, 2021 at 9:34 AM Linda Dunbar via Datatracker 
> <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
> This document doesn't seem to be complete. The document claims that it 
> changes
> the policy of the Location-to-Service Translation (LoST) Location 
> Profile
> registry from Standards Action to Specification Required, but it 
> doesn't
> specify what is the new procedure.  It says allowing other SDOs to 
> change or
> add values. But which SDOs are allowed? Are there any procedures to 
> identify
> which SDOs are legitimate? can any organizations, say XYZ, change, add 
> or
> delete the values?
>
> Specification Required is defined in RFC 8162.  The IESG will be 
> tasked with appointing a designated expert (DE) to review registration 
> requests against the published specification.  The DE will have 
> discretion to determine whether an application should be accepted.  
> The document contains no guidance about particular SDOs, so the DE is 
> left to decide whether to factor the source into the approval or 
> rejection of the request.
>
> So any SDO can make a request to update the registry.  The DE makes 
> the call about "legitimate".
>
> -MSK

On 16 Mar 2021, at 10:12, Linda Dunbar wrote:

> Murray,
>
> Then why need this document?
> Isn’t it already the practice that “The IESG will be tasked with 
> appointing a designated expert (DE) to review registration requests 
> against the published specification”?
>
> Linda
>
> From: Murray S. Kucherawy <superuser@gmail.com>
> Sent: Tuesday, March 16, 2021 11:46 AM
> To: Linda Dunbar <linda.dunbar@futurewei.com>
> Cc: secdir@ietf.org; 
> draft-ietf-ecrit-location-profile-registry-policy.all@ietf.org; 
> ecrit@ietf.org; last-call@ietf.org
> Subject: Re: Secdir last call review of 
> draft-ietf-ecrit-location-profile-registry-policy-01
>
> Hi Linda, thanks for your review.  Comments below.
>
> On Tue, Mar 16, 2021 at 9:34 AM Linda Dunbar via Datatracker 
> <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
> This document doesn't seem to be complete. The document claims that it 
> changes
> the policy of the Location-to-Service Translation (LoST) Location 
> Profile
> registry from Standards Action to Specification Required, but it 
> doesn't
> specify what is the new procedure.  It says allowing other SDOs to 
> change or
> add values. But which SDOs are allowed? Are there any procedures to 
> identify
> which SDOs are legitimate? can any organizations, say XYZ, change, add 
> or
> delete the values?
>
> Specification Required is defined in RFC 8162.  The IESG will be 
> tasked with appointing a designated expert (DE) to review registration 
> requests against the published specification.  The DE will have 
> discretion to determine whether an application should be accepted.  
> The document contains no guidance about particular SDOs, so the DE is 
> left to decide whether to factor the source into the approval or 
> rejection of the request.
>
> So any SDO can make a request to update the registry.  The DE makes 
> the call about "legitimate".
>
> -MSK

> _______________________________________________
> Ecrit mailing list
> Ecrit@ietf.org
> https://www.ietf.org/mailman/listinfo/ecrit

On 16 Mar 2021, at 10:12, Linda Dunbar wrote:

> Murray,
>
> Then why need this document?
> Isn’t it already the practice that “The IESG will be tasked with 
> appointing a designated expert (DE) to review registration requests 
> against the published specification”?
>
> Linda
>
> From: Murray S. Kucherawy <superuser@gmail.com>
> Sent: Tuesday, March 16, 2021 11:46 AM
> To: Linda Dunbar <linda.dunbar@futurewei.com>
> Cc: secdir@ietf.org; 
> draft-ietf-ecrit-location-profile-registry-policy.all@ietf.org; 
> ecrit@ietf.org; last-call@ietf.org
> Subject: Re: Secdir last call review of 
> draft-ietf-ecrit-location-profile-registry-policy-01
>
> Hi Linda, thanks for your review.  Comments below.
>
> On Tue, Mar 16, 2021 at 9:34 AM Linda Dunbar via Datatracker 
> <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
> This document doesn't seem to be complete. The document claims that it 
> changes
> the policy of the Location-to-Service Translation (LoST) Location 
> Profile
> registry from Standards Action to Specification Required, but it 
> doesn't
> specify what is the new procedure.  It says allowing other SDOs to 
> change or
> add values. But which SDOs are allowed? Are there any procedures to 
> identify
> which SDOs are legitimate? can any organizations, say XYZ, change, add 
> or
> delete the values?
>
> Specification Required is defined in RFC 8162.  The IESG will be 
> tasked with appointing a designated expert (DE) to review registration 
> requests against the published specification.  The DE will have 
> discretion to determine whether an application should be accepted.  
> The document contains no guidance about particular SDOs, so the DE is 
> left to decide whether to factor the source into the approval or 
> rejection of the request.
>
> So any SDO can make a request to update the registry.  The DE makes 
> the call about "legitimate".
>
> -MSK

> -- 
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call

On 16 Mar 2021, at 10:39, Benjamin Kaduk wrote:

> Hi Linda,
>
> The current registration procedure (visible at
> https://www.iana.org/assignments/lost-location-profiles/lost-location-profiles.xhtml)
> of Standards Action only requires a standards-track RFC to get an
> allocation; there is no designated expert involved in that procedure.
> RFC 8126 again remains a good reference for these registration 
> policies.
>
> Thanks,
>
> Ben
>
>
> On Tue, Mar 16, 2021 at 05:12:52PM +0000, Linda Dunbar wrote:
>> Murray,
>>
>> Then why need this document?
>> Isn’t it already the practice that “The IESG will be tasked with 
>> appointing a designated expert (DE) to review registration requests 
>> against the published specification”?
>>
>> Linda
>>
>> From: Murray S. Kucherawy <superuser@gmail.com>
>> Sent: Tuesday, March 16, 2021 11:46 AM
>> To: Linda Dunbar <linda.dunbar@futurewei.com>
>> Cc: secdir@ietf.org; 
>> draft-ietf-ecrit-location-profile-registry-policy.all@ietf.org; 
>> ecrit@ietf.org; last-call@ietf.org
>> Subject: Re: Secdir last call review of 
>> draft-ietf-ecrit-location-profile-registry-policy-01
>>
>> Hi Linda, thanks for your review.  Comments below.
>>
>> On Tue, Mar 16, 2021 at 9:34 AM Linda Dunbar via Datatracker 
>> <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
>> This document doesn't seem to be complete. The document claims that 
>> it changes
>> the policy of the Location-to-Service Translation (LoST) Location 
>> Profile
>> registry from Standards Action to Specification Required, but it 
>> doesn't
>> specify what is the new procedure.  It says allowing other SDOs to 
>> change or
>> add values. But which SDOs are allowed? Are there any procedures to 
>> identify
>> which SDOs are legitimate? can any organizations, say XYZ, change, 
>> add or
>> delete the values?
>>
>> Specification Required is defined in RFC 8162.  The IESG will be 
>> tasked with appointing a designated expert (DE) to review 
>> registration requests against the published specification.  The DE 
>> will have discretion to determine whether an application should be 
>> accepted.  The document contains no guidance about particular SDOs, 
>> so the DE is left to decide whether to factor the source into the 
>> approval or rejection of the request.
>>
>> So any SDO can make a request to update the registry.  The DE makes 
>> the call about "legitimate".
>>
>> -MSK
>
>> -- 
>> last-call mailing list
>> last-call@ietf.org
>> https://www.ietf.org/mailman/listinfo/last-call

On 16 Mar 2021, at 10:39, Benjamin Kaduk wrote:

> Hi Linda,
>
> The current registration procedure (visible at
> https://www.iana.org/assignments/lost-location-profiles/lost-location-profiles.xhtml)
> of Standards Action only requires a standards-track RFC to get an
> allocation; there is no designated expert involved in that procedure.
> RFC 8126 again remains a good reference for these registration 
> policies.
>
> Thanks,
>
> Ben
>
>
> On Tue, Mar 16, 2021 at 05:12:52PM +0000, Linda Dunbar wrote:
>> Murray,
>>
>> Then why need this document?
>> Isn’t it already the practice that “The IESG will be tasked with 
>> appointing a designated expert (DE) to review registration requests 
>> against the published specification”?
>>
>> Linda
>>
>> From: Murray S. Kucherawy <superuser@gmail.com>
>> Sent: Tuesday, March 16, 2021 11:46 AM
>> To: Linda Dunbar <linda.dunbar@futurewei.com>
>> Cc: secdir@ietf.org; 
>> draft-ietf-ecrit-location-profile-registry-policy.all@ietf.org; 
>> ecrit@ietf.org; last-call@ietf.org
>> Subject: Re: Secdir last call review of 
>> draft-ietf-ecrit-location-profile-registry-policy-01
>>
>> Hi Linda, thanks for your review.  Comments below.
>>
>> On Tue, Mar 16, 2021 at 9:34 AM Linda Dunbar via Datatracker 
>> <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
>> This document doesn't seem to be complete. The document claims that 
>> it changes
>> the policy of the Location-to-Service Translation (LoST) Location 
>> Profile
>> registry from Standards Action to Specification Required, but it 
>> doesn't
>> specify what is the new procedure.  It says allowing other SDOs to 
>> change or
>> add values. But which SDOs are allowed? Are there any procedures to 
>> identify
>> which SDOs are legitimate? can any organizations, say XYZ, change, 
>> add or
>> delete the values?
>>
>> Specification Required is defined in RFC 8162.  The IESG will be 
>> tasked with appointing a designated expert (DE) to review 
>> registration requests against the published specification.  The DE 
>> will have discretion to determine whether an application should be 
>> accepted.  The document contains no guidance about particular SDOs, 
>> so the DE is left to decide whether to factor the source into the 
>> approval or rejection of the request.
>>
>> So any SDO can make a request to update the registry.  The DE makes 
>> the call about "legitimate".
>>
>> -MSK
>
>> -- 
>> last-call mailing list
>> last-call@ietf.org
>> https://www.ietf.org/mailman/listinfo/last-call
>
> -- 
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call

On 16 Mar 2021, at 10:40, Murray S. Kucherawy wrote:

> On Tue, Mar 16, 2021 at 10:12 AM Linda Dunbar 
> <linda.dunbar@futurewei.com>
> wrote:
>
>> Then why need this document?
>>
>> Isn’t it already the practice that “*The IESG will be tasked with
>> appointing a designated expert (DE) to review registration requests 
>> against
>> the published specification”? *
>>
>
> No, the current rules for that registry are specified by Standards 
> Action
> (Section 4.9 of RFC 8126), which requires a standards track RFC.  
> There's
> no designated expert in that model.  The working group wants to change 
> the
> policy to the less restrictive model that allows for specifications
> published outside of the IETF to qualify, subject to expert review.
>
> -MSK

On 16 Mar 2021, at 10:40, Murray S. Kucherawy wrote:

> On Tue, Mar 16, 2021 at 10:12 AM Linda Dunbar 
> <linda.dunbar@futurewei.com>
> wrote:
>
>> Then why need this document?
>>
>> Isn’t it already the practice that “*The IESG will be tasked with
>> appointing a designated expert (DE) to review registration requests 
>> against
>> the published specification”? *
>>
>
> No, the current rules for that registry are specified by Standards 
> Action
> (Section 4.9 of RFC 8126), which requires a standards track RFC.  
> There's
> no designated expert in that model.  The working group wants to change 
> the
> policy to the less restrictive model that allows for specifications
> published outside of the IETF to qualify, subject to expert review.
>
> -MSK

> _______________________________________________
> Ecrit mailing list
> Ecrit@ietf.org
> https://www.ietf.org/mailman/listinfo/ecrit

On 16 Mar 2021, at 10:40, Murray S. Kucherawy wrote:

> On Tue, Mar 16, 2021 at 10:12 AM Linda Dunbar 
> <linda.dunbar@futurewei.com>
> wrote:
>
>> Then why need this document?
>>
>> Isn’t it already the practice that “*The IESG will be tasked with
>> appointing a designated expert (DE) to review registration requests 
>> against
>> the published specification”? *
>>
>
> No, the current rules for that registry are specified by Standards 
> Action
> (Section 4.9 of RFC 8126), which requires a standards track RFC.  
> There's
> no designated expert in that model.  The working group wants to change 
> the
> policy to the less restrictive model that allows for specifications
> published outside of the IETF to qualify, subject to expert review.
>
> -MSK

> -- 
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call

On 16 Mar 2021, at 14:01, Randall Gellens wrote:

> I just want to add that the document currently does contain some 
> guidance.  Section 4 (IANA Considerations) contains:
>
> The reviewer should verify that:
>    o  the proposed new value is specified by the IETF, NENA, or a
>       similar SDO in which location profiles are in scope;
>
> --Randall

On 16 Mar 2021, at 14:01, Randall Gellens wrote:

> I just want to add that the document currently does contain some 
> guidance.  Section 4 (IANA Considerations) contains:
>
> The reviewer should verify that:
>    o  the proposed new value is specified by the IETF, NENA, or a
>       similar SDO in which location profiles are in scope;
>
> --Randall

On 16 Mar 2021, at 14:01, Randall Gellens wrote:

> I just want to add that the document currently does contain some 
> guidance.  Section 4 (IANA Considerations) contains:
>
> The reviewer should verify that:
>    o  the proposed new value is specified by the IETF, NENA, or a
>       similar SDO in which location profiles are in scope;
>
> --Randall

On 16 Mar 2021, at 14:01, Randall Gellens wrote:

> I just want to add that the document currently does contain some 
> guidance.  Section 4 (IANA Considerations) contains:
>
> The reviewer should verify that:
>    o  the proposed new value is specified by the IETF, NENA, or a
>       similar SDO in which location profiles are in scope;
>
> --Randall
>
> _______________________________________________
> Ecrit mailing list
> Ecrit@ietf.org
> https://www.ietf.org/mailman/listinfo/ecrit

On 16 Mar 2021, at 14:01, Randall Gellens wrote:

> I just want to add that the document currently does contain some 
> guidance.  Section 4 (IANA Considerations) contains:
>
> The reviewer should verify that:
>    o  the proposed new value is specified by the IETF, NENA, or a
>       similar SDO in which location profiles are in scope;
>
> --Randall
>
> -- 
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call