[secdir] Secdir last call review of draft-wilde-service-link-rel-06

Stefan Santesson <stefan@aaa-sec.com> Tue, 20 November 2018 10:42 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 00B68128CF2; Tue, 20 Nov 2018 02:42:13 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stefan Santesson <stefan@aaa-sec.com>
To: <secdir@ietf.org>
Cc: draft-wilde-service-link-rel.all@ietf.org, ietf@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.88.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <154271053296.18399.13259125328255756754@ietfa.amsl.com>
Date: Tue, 20 Nov 2018 02:42:12 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/u-sHBHnGN8jkcBcHQcHfoff1lWA>
Subject: [secdir] Secdir last call review of draft-wilde-service-link-rel-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 10:42:13 -0000

Reviewer: Stefan Santesson
Review result: Has Issues

Even though this document is quite repetitive when describing its fundamental
concepts, I still had a problem figuring out whether the link relations defined
are applicable to any web resource, or just to "web services" in the context of
"service provided to another service".

I have no issues with the fundamental concept, but the document lacks security
considerations. The content of the section is "..." indicating that something
eventually is intended to go here, but has not yet been written. If there are
absolutely no security considerations, then the section should say so.

I do however think that there are some useful security considerations to
document. At least it may be useful to have a small discussion to consider what
information about a service that is helpful to a user, and which could be used
by an attacker, and find a good balance.

As a nit I would suggest shortening some of the fundamental description in the
early introduction that is being repeated in the document. The document is
rather short and therefore does not benefit from saying the same things many