Hi Qin, > On 24 Nov 2021, at 14:07, Qin Wu <[email protected]> wrote: > > Hi, Klaas: > -----邮件原件----- > 发件人: Klaas Wierenga via Datatracker [mailto:[email protected]] > 发送时间: 2021年11月24日 17:24 > 收件人: [email protected] > 抄送: [email protected]; [email protected]; > [email protected] > 主题: Secdir last call review of draft-ietf-alto-cdni-request-routing-alto-17 > > Reviewer: Klaas Wierenga > Review result: Has Issues > > Hi, > > I found 1 nit and one more substantial issue > > - the abstract says: > > OLD > RFC 8008 defines precisely the semantics of FCI and provides guidelines on > the FCI protocol, but the exact protocol is specified. > > I think it should read > > NEW > RFC 8008 defines precisely the semantics of FCI and provides guidelines on > the FCI protocol, but the exact protocol is not specified. > > - A bigger problem I have is with the Security Considerations > > You state "In the context of CDNI Advertisement, additional security > considerations should be included as follows:", you then list a set of > concerns, and then write: "Although protection strategies as described in > Section 15 of [RFC7285] should be applied to address aforementioned security > and privacy considerations, one additional information leakage risk > introduced by this document could not be addressed by these strategies. " > > So are they ADDITIONAL or were they ALREADY ADRESSED in RFC7285? Do you want > to call the ones you list out as specifically relevant for this use-case? > Please be clear why you list them here. And if they are NOT sufficiently > addressed yet, you need to address them here. > [Qin Wu] : I believe these ADDITIONAL security has already been ADDRESSED by > protection strategies proposed in RFC7285, but there is one exception case, > i.e.," one additional information leakage risk > introduced by this document could not be addressed by these strategies." > Maybe the first paragraph and the second paragraph lack a good connection > link, I would propose to make the following change: > OLD TEXT: > " > In the context of CDNI Advertisement, additional security > considerations should be included as follows: > " > NEW TEXT: > " > In the context of CDNI Advertisement, the following security > issues need to be considered as follows: > "
Would it be clearer if you would write s/additional/specifically ? It seems you want to call out the one as of particular importance? > For the additional risk of leaking info from one uCDN to another uCDN it is > unclear to me whether the intended mitigation is meant as normative (SHOULD > instead of should) and I am curious why you don't make it a MUST. > [Qin Wu] I have no strong opinion on what language should be used, but I > agree SHOULD is better than should. Perfect. Klaas > _______________________________________________ alto mailing list [email protected] https://www.ietf.org/mailman/listinfo/alto
