Hi Peter,
Thank you for your review.
On 07/09/2021 08:00, Peter Yee via Datatracker wrote:
Reviewer: Peter Yee
Review result: Ready with Issues
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please treat these comments just
like any other last call comments.
For more information, please see the FAQ at
<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
Document: draft-ietf-jmap-smime-07
Reviewer: Peter Yee
Review Date: 2021-09-06
IETF LC End Date: 2021-09-06
IESG Telechat date: Not scheduled for a telechat
Summary: This document provides a JMAP extension that allows the JMAP server to
provide its thoughts on the verification of a messages S/MIME signature. While
the details of the extension seem fine, I'm not convinced that the rationale
for it and the consequences of trusting the server to perform the verification
are well described. [Ready with issues]
Major issues: None
Minor issues:
Page 2, section 1: There really ought to be a description of why a client would
want to do this and why it would trust the results. This is taking a decision
on something that is normally an end-to-end property of a message and
delegating its verification to a server. Is signature verification so onerous?
I think this depends on the goals. There is cost of writing/testing the
code, as well as the cost of bandwidth. For clients that try to minimize
bandwidth used to display a message, client side S/MIME signature
verification in the most generic case is very expensive, as it requires
downloading the whole message, even body parts that the user doesn't
necessarily care about. (JMAP's philosophy is to only download
information that is needed, which is much smaller than the whole message
content).
Page 4, smimeErrors, 3rd sentence: the error may also be in the certificate
chain.
Added, thanks.
Page 5 and 6 examples: Put an introduction before each example so the reader
knows that it is an example and what it intends to show.
Added.
Page 7, section 6: I think a stronger description of the implications of doing
server-side verification is merited. The document is written as though it is a
forgone conclusion that a client would want to do this without much explanation.
Fair enough. I think your exchange with Bron has some good suggestions.
Nits/editorial comments:
General:
The use of asterisks and underscores for emphasis or for offsetting various
items is not explained. The usage is also inconsistent. I note that RFC 8621
does some of this as well, but I think it would be preferable to abstain from
extravagant use of these characters unless their significance is explained.
Sometimes items are marked with asterisks, other times with quotation marks. I
find it all rather off-putting and could not find anything in the RFC Editor's
Style Guide indicating a standardized meaning for the characters.
I copied this from the original JMAP draft, but I agree that this should
be reviewed/rationalized.
Do not put a colon after the title of each example (e.g., "Example 1:")
I expected these to appear above the block. So I removed them now.
Specific:
Thank you, I addressed all of your nits.
Best Regards,
Alexey
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
