[secdir] secdir review of draft-melnikov-imap-keywords-06
Samuel Weiler <weiler@watson.org> Mon, 09 November 2009 20:44 UTC
Return-Path: <weiler@watson.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B040D28C243; Mon, 9 Nov 2009 12:44:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.522
X-Spam-Level:
X-Spam-Status: No, score=-2.522 tagged_above=-999 required=5 tests=[AWL=0.077, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1cHQWtxZAmwL; Mon, 9 Nov 2009 12:44:15 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id D516928C23F; Mon, 9 Nov 2009 12:44:14 -0800 (PST)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id nA9KieX3084890; Mon, 9 Nov 2009 15:44:40 -0500 (EST) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id nA9KidXx084887; Mon, 9 Nov 2009 15:44:39 -0500 (EST) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Mon, 09 Nov 2009 15:44:39 -0500
From: Samuel Weiler <weiler@watson.org>
To: ietf@ietf.org
Message-ID: <alpine.BSF.2.00.0911091524400.76090@fledge.watson.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (fledge.watson.org [127.0.0.1]); Mon, 09 Nov 2009 15:44:40 -0500 (EST)
Cc: Alexey.Melnikov@isode.com, secdir@ietf.org
Subject: [secdir] secdir review of draft-melnikov-imap-keywords-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 20:44:15 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. >From a security perspective, I have no issues with this document. It creates a new registry and defines two sets of assignment metrics, one for "common use" keywords, and one for vendor-specific keywords. It also registers four keywords. (I'm wondering if it shouldn't be registering more.) I'm finding the IANA assignment metrics to be a little more ambiguous that I'd like. Starting with the vendor-specific text: Registration of vendor specific IMAP keywords is done on First Come First Serve [RFC5226] basis and doesn't require the Expert Review. However such review is still encouraged. Should the review be requested, ... Who requests the review? The registrant or IANA? Does IANA need to encourage the review? Perhaps it would be better to have all requests (including vendor-specific) be sent to the mailing list, with IANA assignment of the vendor-specific ones being automatic following a (short) delay for comment and optional revision. And for the common-use: Registration of an IMAP keyword intended for common use (whether or not they use the "$" prefix) requires Expert Review [RFC5226]. IESG appoints one or more Expert Reviewer, one of which is designated as the primary Expert Reviewer. IMAP keywords intended for common use SHOULD be standardized in IETF Consensus [RFC5226] documents. ... In cases when an IMAP Keyword being registered is already deployed, Expert Reviewers should favour registering it over requiring perfect documentation. Would it be better to say: "requires either IETF Consensus or Expert Review"? (For example: do the registrations made in this doc have to go through Expert Review? Isn't it enough to have them in a consensus doc?") And how do you expect the expert to encourage/enforce the SHOULD, given the "favour registering it over requiring perfect documentation" guideline? Again, the current text isn't as clear as I'd like. -- Sam
- [secdir] secdir review of draft-melnikov-imap-key… Samuel Weiler
- Re: [secdir] secdir review of draft-melnikov-imap… Alexey Melnikov
- Re: [secdir] secdir review of draft-melnikov-imap… Samuel Weiler
- Re: [secdir] secdir review of draft-melnikov-imap… Alexey Melnikov
- Re: [secdir] secdir review of draft-melnikov-imap… John C Klensin
- Re: [secdir] secdir review of draft-melnikov-imap… Tero Kivinen
- Re: [secdir] secdir review of draft-melnikov-imap… Arnt Gulbrandsen