> -----Original Message----- > From: Salz, Rich <rsalz@xxxxxxxxxx> > Sent: Monday, February 1, 2021 2:22 PM > To: secdir@xxxxxxxx > Cc: draft-ietf-regext-rfc7483bis.all@xxxxxxxx; last-call@xxxxxxxx; > regext@xxxxxxxx > Subject: [EXTERNAL] Re: [secdir] Secdir last call review of draft-ietf-regext- > rfc7483bis-04 > > Caution: This email originated from outside the organization. Do not click links > or open attachments unless you recognize the sender and know the content > is safe. > > Browser crashed. Here's the real review. > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments > just like any other last call comments. > > The summary of the review is ready with nits. > > I expected to see mention of HTTPS, as opposed to HTTP, in the protocol > definition. At a minimum > HTTPS MUST be used. > In the security considerations. > > I wonder if using "451" status is worthwhile? I can accept either answer. > > As this is a protocol transliteration, the references to other RFC's and security > considersations seem on-target. Thanks for the review, Rich. The security services for RDAP are described in RFC 7481, where it says, " HTTP over TLS MUST be used to protect all client-server exchanges unless operational constraints make it impossible to meet this requirement.". I intend to submit a request to move 7481 from Proposed Standard status to Standard status shortly to keep these in synch. Scott -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
