[secdir] Secdir telechat review of draft-ietf-regext-epp-fees-18

Yoav Nir via Datatracker <noreply@ietf.org> Tue, 17 September 2019 20:36 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F640120920; Tue, 17 Sep 2019 13:36:39 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Yoav Nir via Datatracker <noreply@ietf.org>
To: <secdir@ietf.org>
Cc: ietf@ietf.org, draft-ietf-regext-epp-fees.all@ietf.org, regext@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.101.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Yoav Nir <ynir.ietf@gmail.com>
Message-ID: <156875259956.17440.16915883379549498946@ietfa.amsl.com>
Date: Tue, 17 Sep 2019 13:36:39 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/NyWI78IQoOYLkoR3REgYFiVr8R4>
Subject: [secdir] Secdir telechat review of draft-ietf-regext-epp-fees-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 20:36:40 -0000

Reviewer: Yoav Nir
Review result: Has Nits

The changes in revision -17 are fine.

I would still like to have it stated that financial information is not at risk
of leaking because the account information of a customer is only sent in
communications with that customer. The Security Considerations section already
says that encryption is used when transmitting financial information. That is
necessary but not sufficient. You also need to state that such information is
only sent to entities that should have access to that information.