Hi Yoav, Thank you for the reminder to be specific in Security Considerations sections! This meshes well with Harald’s comments. As mentioned in our response there, we added a brief Privacy Considerations section and expanded the Security Considerations section in https://github.com/core-wg/core-problem-details/pull/34—; editor’s copy at https://core-wg.github.io/core-problem-details/privcons-seccons/draft-ietf-core-problem-details.html#name-privacy-considerations). We think that this should address your observations. Grüße, Carsten > On 2022-06-14, at 22:36, Yoav Nir via Datatracker <noreply@xxxxxxxx> wrote: > > Reviewer: Yoav Nir > Review result: Has Nits > > Greetings > > The document defines a CBOR-encoded problem details structure, similar to the > JSON- or XML-encoded structure defined in RFC 7807. As such, the security > considerations for it mostly mirror those of RFC 7807, and that is all that the > Security Considerations section says. Following this reference, the Security > Considerations section of 7807 urges caution when defining new problem types > for fear of leaking sensitive information in the relevant fields of new types. > > There is, however, a difference between 7807 and this document. In 7807 > different problems are identified by "type". In this document, there is no > explicit type. Instead, there are basic details that are defined, plus a > registry of standard and custom extra attributes that can be defined. The > security considerations section in 7807 is phrased in terms of new types. > Security considerations text written specifically for this documentation would > not mention new types (which don't exist), but new detail entries. > > Still, the message would be the same. When defining new detail entries, care > should be taken that they do not leak sensitive information. Yet because of > the difference, I believe that the text should be written specifically for this > document, not just referenced from 7807. > > > -- > last-call mailing list > last-call@xxxxxxxx > https://www.ietf.org/mailman/listinfo/last-call -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
