Reviewer: Tero Kivinen Review result: Has Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document specifies how the zone identifiers should be used in textual format, but leaves the use in web browsers out of scope. There is another (now expired) document that explains how to use zone identifiers in uri context. I think the term used: Because of this, the recommendations and normative statements in this document do not apply to web browsers. is misleading as lots of configuration happens in the web browsers, but not in the context of uri. I.e., I would assume this document to apply when you configure a network switch over https, and enter zone identifiers in the web page form. Also this document uses IPv4 addresses which are not from the block reserved for examples. Security considerations do list typical issues but one of the issues with zone identifiers is that the set of characters it can use is not defined, thus web-form, etc might have difficulties to remove unsafe characters. For example entering zone identifiers of "fe80::1%`echo string > /etc/config`" might allow users to cause unauthorized changes to the system without proper authentication. On the other hand just automatically limiting zone identifiers to ascii letters and numbers does not work, as they may contain some special characters like "." or "-". -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
