[secdir] Secdir last call review of draft-klensin-idna-rfc5891bis-05

Paul Wouters via Datatracker <noreply@ietf.org> Tue, 03 September 2019 02:58 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3046C1200CC; Mon, 2 Sep 2019 19:58:49 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Paul Wouters via Datatracker <noreply@ietf.org>
To: <secdir@ietf.org>
Cc: draft-klensin-idna-rfc5891bis.all@ietf.org, ietf@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.100.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Paul Wouters <paul@nohats.ca>
Message-ID: <156747952912.12965.18139183538869398923@ietfa.amsl.com>
Date: Mon, 02 Sep 2019 19:58:49 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ZCydFPXyE2VxdFux2H28FIPaKgc>
Subject: [secdir] Secdir last call review of draft-klensin-idna-rfc5891bis-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 02:58:50 -0000

Reviewer: Paul Wouters
Review result: Has Nits

I have reviewed this document as part of the security directorate's  ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat  these comments just like any
other last call comments.

This document collects IDNA  information from Errata's, external information
such as ICANN, and some wisdom gathered since RFC 5891 was published and
presents this set of information for operations of domains to make their
domains more secure with respect to IDNA and its (ab)use.

The Security Section is a clear summary that states the operators should really
heed the advise of this document (and the documents references and updated)

Issue:

It seems the document asks for the IANA Consideration section to be removed.
Instead, it should keep the Section but use the text along the lines of  " This
document has no IANA actions.". This helps people who are looking through
various RFC's to find IANA considerations.

Minor issues:

I find the term "For-profit domain" very confusing as .pizza is a very much for
profit domain. Normally, the terms "Generic domain" and "Brand domain" although
I guess the latter is usually avoided in written text. While the term is
described to mean a Generic Domain, I think it would be better to use Generic
domain instead of For-profit domain.

  Registries choosing to make exceptions -- allow code points that
  recommendations such as the MSR do not allow -- should make such
  decisions only with great care and only if they have considerable
  understanding of, and great confidence in, their appropriateness.

This paragraph seems really to say "Registries SHOULD NOT make exceptions" and
seems a good place for some RFC 2119 wording.

I find the term "registry" in this document confusing, as it could refer to an
"IANA registry", "script registry" or  "domain registry". Perhaps always spell
this out to make the context clearer?  Or alternatively, perhaps introduce the
term Registry (with captial R)  and use that to refer to domain registries.

[ID.draft-klensin-idna-unicode-review] is in progress.  Its status
   should be checked in conjunction with application of the present
   specification.

I think this is meant as informational to the RFC Editor ? Perhaps these
documents should go out as a cluster?

Note I find some documents are references within [square brackets] but not all
of them, even some RFC's are in brackets and others are not. Please make this
consistent.

      The algorithm and rules of RFCs 5891 and 5892

missing xref's to the RFCs?

     registries SHOULD normally consult

Either use "SHOULD" or "normally", not both? It's a little odd.

   to fully satisfy the mandate set out above

Instead of mandate, which is a bit generic and confusing, why not refer to the
mentioned "IAB guidance", which I think it is referring to ?

    may provide useful guidance.

Remove the word "may"