Hi Joel, thanks so much for your review. Please find my comments inline. Il 16/08/2020 00:50, Joel Jaeggli via Datatracker ha scritto:
Reviewer: Joel Jaeggli Review result: Ready I have reviewed this document on behalf of the the operations directorate. This document appears ready. I would observe that the document describes fairly wide latitude with respect to what a server could do with with this facility, yet it's largely posed as facility for the client to reduce the data returned to it. A client that is authorized asking for less data then it is authorized for poses no real challenges however if s the document described one uses authorization level to determine what to include in the partial response the implementations need to be careful about how the implement such a control to prevent information leakage (what fielsd are omitted could tell you significant things about your authorization level for example. These server implementation considerations seem outside the scope of this document, and client requests for limited fields in a result don't have this property.
The mapping between the content returned and the available field sets for the given user profiles should be trasparently described in out-of-band documents (e.g. RDAP profiles).
I think the main issue for a server is to return the right information according to the user grants but this doesn't depend on whether the server implements partial response or not.
What is achieved through this feature is that servers can implement a more flexible strategy than returning always the full response, even if the full response is tailored on the requestor.
As you rightly stated in your review, some operational aspects (e.g. the fields contained in the "brief" response) have been purposefully left undefined because the WG considered they should be profile dependent.
Anyway, a non exhaustive list of possible partial response implementations are described in "Security Considerations" section.
Hope my response could contribute to shed more light on this document. Best, Mario
_______________________________________________ regext mailing list regext@xxxxxxxx https://www.ietf.org/mailman/listinfo/regext
-- Dr. Mario Loffredo Systems and Technological Development Unit Institute of Informatics and Telematics (IIT) National Research Council (CNR) via G. Moruzzi 1, I-56124 PISA, Italy Phone: +39.0503153497 Mobile: +39.3462122240 Web: http://www.iit.cnr.it/mario.loffredo -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
