Hi James, thank you for clarification. I presume all these things are clear for those who are familiar with EPP, and probably most of potential readers of this document fall into this category, but if you can add short explanation for the others it would be great. Regards, Valery Smyslov. > Thank you for the review and feedback. I can understand the confusion if you're not familiar with the EPP > protocol. I attempt to clarify things below. > > The info command and the poll command are different commands, but where the confusion lies is with the > response. A poll response can be any EPP response, since the information for a poll response is built into the > general EPP response with the <msgQ> element (section 2.6 of RFC 5730), so any EPP response "has a" > relationship with the poll queue information. A concrete EPP response, which in this case is an info response, > extends ("is a" relationship) the EPP general response, so a concrete EPP response can be used in the response > to an EPP command or an EPP poll command. In the case of the draft-ietf-regext-change-poll, it specifies the > use of the info response of other EPP objects (e.g., domain in RFC 5731, host in RFC 5732, or contact in RFC > 5733) with the Change Poll Extension that defines the server-side operation meta-data of what, when, who, > and why. A concrete example is the server adding a server status on a domain name, as defined in RFC 5731, > where it can insert an EPP poll message in the form of a domain info response that includes the added server > status, with the poll message <msgQ> element populated, and with the Change Poll Extension added. The > responses of draft-ietf-regext-change-poll are associated with poll responses, where the concrete poll > responses used are info responses with the Change Poll extension. A client would request the poll message > using the EPP RFC 5730 poll command and would receive the poll message in the form of an info response, > with the poll queue information included, and with the Change Poll extension. > > I hope this helps. > > Thanks, > > — > > JG > > > > James Gould > Distinguished Engineer > jgould@xxxxxxxxxxxx > > 703-948-3271 > 12061 Bluemont Way > Reston, VA 20190 > > Verisign.com <http://verisigninc.com/> > > On 10/29/18, 9:36 AM, "Valery Smyslov" <valery@xxxxxxxxxxx> wrote: > > Reviewer: Valery Smyslov > Review result: Ready with Nits > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > This draft defines an extension for an Extensible Provisioning Protocol (EPP, RFC 5730) > that allows servers to notify clients about operations which were not > initiated by clients, but which modify state of client-sponsored objects. > > The extension is defined using standard EPP mechanism for adding extensions, > so Security Considerations from RFC 5730 are applied and no new ones are added. > Keeping long message queues consume server resources and can > potentially be a surface for DoS attack, however as far as I understand > unauthorized entities cannot cause server to perform actions resulted in > operations on other clients' objects, so it seems that it is not a security issue here. > Nevertheless adding a few words that it is not a security issue would be helpful. > > General comment not related to security. It seems to me that the protocol description > is inconsistent. The Introduction Section states, that this extension only extends > the response to the EPP <poll> command. However, Section 3 of this specification, > which describes the EPP Command Mapping, extends only the response > to the EPP <info> command with poll message, and the <poll> command is not mentioned > there at all. I'm not familiar with the EPP protocol, but I believe that <info> and <poll> > are different commands, so unless I've missed something, it seems that the protocol > description is inconsistent (or incomplete). Since it is not related to security, > I think the document is Ready (from security perspective), but this inconsistency > must either be fixed or some clarification be provided. > > >