Reviewer: Tero Kivinen Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes the reverse search method for RDAP protocol. It does include implementation considerations, privacy considerations in addition security considerations, which do list number of issues that the implementations need to solve. Including limiting number of resources returned, protecting Personally Identifiable Information, and methods of doing authentication. It does require HTTPS because of the privacy concerns, but authentication and authorization is only SHOULD: In general, given the sensitivity of this functionality, it SHOULD be accessible to authorized users only, and for specific use cases only. This SHOULD does not list reason when it would be ok to provide this information without authorization. I would assume one such use case would be when there is no PII or sensitive information in the database... -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
