Hi Sarah, On Tue, Apr 28, 2020 at 10:41:39AM -0700, Sarah Banks via Datatracker wrote: > Reviewer: Sarah Banks > Review result: Has Issues > > Hello, > I too share the concerns the GENART reviewer does. In addition, a few > things: > > 1. As a personal nit, I'm slightly annoyed as a reader that the draft defines > the registries, but another doc has the default values. Just ann FYI, and I > realize this is a style choice. I think it's important to note that the initial registry contents are to list a non-IETF organization as the change controller. To me, it seems more appropriate to have that organization produce a document to effectuate the registrations they desire, rather than having the IETF publish a document that tries to allocate things on their behalf. > 2. In section 2.1, it states: "Each attestation > statement format identifier added to this registry MUST be unique amongst the > set of registered attestation statement format identifiers.", and that they are > case sensitive. Did you really intend to allow a conceptual overload where a > string of "string" and "STRING" would be allowed? Yes. See also the note about "may not match [...] in a case-insensitive manner unless the DEs determine that there is a compelling reason to allow an exception". > 3. In a few spots it's > written (see 2.2.2 for example): " As noted in Section 2.2.1, WebAuthn > extension identifiers are registered using the Specification Required policy, > implying review and approval by a designated expert.". Implied doesn't seem to > be normative. Given the follow on text here, did you explictly NOT want to make > this a normative requirement? It is normative, though -- we use the RFC 8126 policy of "Specification Required", which by definition includes expert review. Do you have an alternate phrasing than "implying" to use for this situation? Thanks for the review, Ben -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call