Reviewer: Ned Smith
Review result: Has Nits
- grammar: "A CPS can use this mechanism
s/can authorize/authorizes/ service providers who already hold STIR
credentials to submit PASSporTs to a CPS,"
- grammar: "(or an entity
s/contractual/contractually/ acting on their behalf)"
- "If anyone with a STIR
certificate is able to publish or access PASSporTs for any telephone
number, this would create an intolerable security and privacy
vulnerability."
Comment: The authors should elaborate on the security vulnerability as
the STIR certificate is presumed to have the same security threats as
any traditional certificate. If PASSportTs contain security sensitive
values that are not protected, the conditions where these secret values
could be revealed should be better highlighted. For example, does the
author imply RFC8225 has security vulnerabilities?
- Comment: There are several uses of "the STIR out-of-band framework [RFC8816]"
while others merely reference "[RFC8816]". Is it sufficient to simply use
"STIR" when referring to the framework? The first use of "the STIR out-of-band
framework [RFC8816]" seems sufficient to give the reader the reference to
RFC8816.
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
