Hi Scott,
See inline.
Q1_GENERAL:
In the Introduction, you say that one of the goal of RDAP is to provide
security services, that do not exist in WHOIS.
However, in section 3 you then say that RDAP doesn't provide any of these
security services, but relies on other protocols.
First, I think you need to re-formulate the text in the Introduction, and talk
about how other protocols can be used to provide security services for RDAP.
[SAH] The introduction currently states "This document describes how each of
these services is achieved by RDAP". The details are described in later
sections. I'm comfortable with changing "This document describes how each of
these services is achieved by RDAP" to "This document describes how each of
these services is achieved by RDAP using features that are available in other
protocol layers", but I think it's more appropriate to leave the details where
they are and not replicate them in the introduction.
[Christer] Sure, you don't need to put the details in the introduction. The
point is to make it clear that RDAP itself does not provide security services,
and the text change you suggest look fine.
Second, there is no text on why "other protocols" couldn't be used to provide
security services for WHOIS. I think you need to
say that, if you want to claim that RDAP provides better security than WHOIS.
[SAH] This document isn't focused on WHOIS deficiencies. The reference to RFC
3912 provides a pointer to WHOIS and its lack of security services.
[Christer]
There is text saying:
"One goal of RDAP is to provide security services that do not exist in the
WHOIS [RFC3912] protocol"
But, as RDAP doesn't provide security services, isn't that statement
misleading? I think you should say that the security services that this
document provides for RDAD do not exist for WHOIS.
Q2_GENERAL:
In some places you say that additional/alternative mechanisms may
be defined in the future. I think it would be good to in
the Introduction indicate that additional/alternative mechanisms can be added
in the future.
[SAH] OK, that's reasonable.
Q3_GENERAL:
You start some subsections by describing what WHOIS does/doesn't
do. I think you should first describe of
the specific security service is provided for RDAP, and then later describe
e.g. why the same cannot be provided
for WHOIS
[SAH] Since this document isn't focused on WHOIS deficiencies I don't think
this is necessary.
[Christer] My point was that you begin the sections by describing what WHOIS
does/doesn't do, and that I think you should begin by describing the RDAP
procedures.
So, I am not asking for more text, but simply to move some existing text around
:)
Q4_3_1_1:
Section 3.1.1. says: "Federated authentication mechanisms used by
RDAP are OPTIONAL."
That statement is confusing. Does it mean that everything else in
the document is mandatory to support?
[SAH] Good point. I can modify that sentence and the second sentence in that
paragraph as follows:
"Federated authentication mechanisms MAY be used by RDAP. If used, they MUST be
fully supported by HTTP."
[Christer] Well, if you say "MAY use federated authentication", the questions
whether the other mechanisms are mandatory still remain.
Perhaps you could simply say:
"If federated authentication mechanism is used with RDAP, they MUST
be fully supported by HTTP."
Q5_3_3:
The name of section 3.3 is "Availability". I don't see how that
is a security service, and the text mostly talks about
throttling. Would it be more appropriate to say "Request throttling" instead?
[SAH] The property of availability is described in Section 4 of RFC 4949. I
believe the text is appropriate as-is.
[Christer] Ok.
Q6_3_4:
Section 3.4 says:
"Web services such as RDAP commonly use HTTP Over TLS [RFC2818]
to provide that protection by encrypting all
traffic sent on the connection between client and server."
To me that sounds like something from a BCP document. I think you
should say that the document defines
the usage of HTTP over TLS for providing the security service.
[SAH] OK. I can change the sentence to "RDAP SHOULD use HTTP Over TLS [RFC2818]
to provide that protection by encrypting all traffic sent on the connection
between client and server". I'm sure there are people who will suggest that
MUST is better than SHOULD, but that adds a requirement that hasn't been
discussed in the WG. WG chairs - what do you think?
[Christer] SHOULD normally means that it should also be described when it does
not apply. However, your suggested text look fine, and I'll leave it up to you
to decide whether to use SHOULD or MUST.
Regards,
Christer
_______________________________________________
Gen-art mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/gen-art
