Re: [Last-Call] Secdir last call review of draft-iab-rfcefdp-rfced-model-11

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Russ, thanks for your review. Comments inline.

On 2/23/22 3:51 PM, Russ Mundy via Datatracker wrote:

Reviewer: Russ Mundy
Review result: Ready

Reviewer: Russ Mundy
Review result: Ready with nits

I have (re)reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the  IESG.
These comments were written primarily for the benefit of the  security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

The summary of the review is: Ready with nits

The document is well written, understandable and provides sound definition of a
new version of the RFC Editor Model.

The only nits that I identified in the document are in the Security
Considerations section where the wording infers that "the RFC Editor" is a
single entity (or person). I recognize that the wording in the section came
mostly from earlier RFC Editor Model versions but since this Model Version
clearly states that the activities are performed by a collection of multiple
entities, the wording of section 10 seems inconsistent with other parts of the
document.
Good catch. We copied the Security Considerations from RFC 6635/8728 and didn't properly update it to reflect version 3 of the model. 


Without trying to make this section unduly long or complex, I suggest making
something like the following changes to section 10:

First paragraph, third sentence current wording:

"Since the RFC Editor maintains the index of publications, sufficient security
must be in place to ...."

Suggest changing to:

"Since multiple entities described in this document participate in maintenance
of the index of publications, sufficient security must be in place and followed
by each entity to ..."
Something like that would make sense, although we might want to mention the RFC Production Center because Section 4.3 specifies that they have responsibility for publication, archiving, etc. 


Second paragraph current wording:

"The IETF LLC should take ..."

Suggest changing to:

"The IETF LLC or any other contracting activity(s), e.g., subcontracts,  should
take ..."


That seems reasonable.


Again, thanks for the excellent quality draft - hopefully, the suggested
changes make section 10 clearer.


They do, thanks!

Peter

--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux