[secdir] secdir review of draft-melnikov-imap-keywords-06

Samuel Weiler <weiler@watson.org> Mon, 09 November 2009 20:44 UTC

Return-Path: <weiler@watson.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B040D28C243; Mon, 9 Nov 2009 12:44:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.522
X-Spam-Level:
X-Spam-Status: No, score=-2.522 tagged_above=-999 required=5 tests=[AWL=0.077, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1cHQWtxZAmwL; Mon, 9 Nov 2009 12:44:15 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id D516928C23F; Mon, 9 Nov 2009 12:44:14 -0800 (PST)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id nA9KieX3084890; Mon, 9 Nov 2009 15:44:40 -0500 (EST) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id nA9KidXx084887; Mon, 9 Nov 2009 15:44:39 -0500 (EST) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Mon, 9 Nov 2009 15:44:39 -0500 (EST)
From: Samuel Weiler <weiler@watson.org>
To: ietf@ietf.org
Message-ID: <alpine.BSF.2.00.0911091524400.76090@fledge.watson.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (fledge.watson.org [127.0.0.1]); Mon, 09 Nov 2009 15:44:40 -0500 (EST)
Cc: Alexey.Melnikov@isode.com, secdir@ietf.org
Subject: [secdir] secdir review of draft-melnikov-imap-keywords-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 20:44:15 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

>From a security perspective, I have no issues with this document. 
It creates a new registry and defines two sets of assignment metrics, 
one for "common use" keywords, and one for vendor-specific keywords.

It also registers four keywords.  (I'm wondering if it shouldn't be 
registering more.)


I'm finding the IANA assignment metrics to be a little more 
ambiguous that I'd like.

Starting with the vendor-specific text:

    Registration of vendor specific IMAP keywords is done on First Come
    First Serve [RFC5226] basis and doesn't require the Expert Review.
    However such review is still encouraged.  Should the review be
    requested, ...

Who requests the review?  The registrant or IANA?  Does IANA need to 
encourage the review?  Perhaps it would be better to have all requests 
(including vendor-specific) be sent to the mailing list, with IANA 
assignment of the vendor-specific ones being automatic following a 
(short) delay for comment and optional revision.

And for the common-use:

    Registration of an IMAP keyword intended for common use (whether or
    not they use the "$" prefix) requires Expert Review [RFC5226].  IESG
    appoints one or more Expert Reviewer, one of which is designated as
    the primary Expert Reviewer.  IMAP keywords intended for common use
    SHOULD be standardized in IETF Consensus [RFC5226] documents. ...
    In cases when an IMAP
    Keyword being registered is already deployed, Expert Reviewers
    should favour registering it over requiring perfect documentation.

Would it be better to say: "requires either IETF Consensus or Expert 
Review"?  (For example: do the registrations made in this doc have to 
go through Expert Review?  Isn't it enough to have them in a consensus 
doc?")  And how do you expect the expert to encourage/enforce the 
SHOULD, given the "favour registering it over requiring perfect 
documentation" guideline?  Again, the current text isn't as clear as 
I'd like.

-- Sam