[Last-Call] Secdir last call review of draft-ietf-regext-rdap-reverse-search-23

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Tero Kivinen
Review result: Ready

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This document describes the reverse search method for RDAP protocol. It does 
include implementation considerations, privacy considerations in addition 
security considerations, which do list number of issues that the implementations
need to solve. Including limiting number of resources returned, protecting 
Personally Identifiable Information, and methods of doing authentication.

It does require HTTPS because of the privacy concerns, but authentication and
authorization is only SHOULD:

   In general, given the sensitivity of this functionality, it SHOULD be
   accessible to authorized users only, and for specific use cases only.

This SHOULD does not list reason when it would be ok to provide this
information without authorization. I would assume one such use case
would be when there is no PII or sensitive information in the database...



-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux