Stephen Farrell has entered the following ballot position for draft-ietf-netmod-rfc6020bis-12: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-netmod-rfc6020bis/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- - I'm not sure I properly understand what the rpc and action statements really do, but can an action statement result in sensitive information being in a place in the model that previously only contained non-sensitive information? If so, does that warrant a mention in the security considerations, like the existing one about RPCs? (I mean the 3rd para of section 17.) - anydata (section 7.10) is new, right? Doesn't that mean that new kinds of stuff (that might be dangerous) can be found in a module? So if it's true that before yang 1.1 a parser only had to be careful to parse XML correctly, and if the addition of anydata means that a parser (via some extension mechanism) might now be parsing say images, (say via ImageMagick:-) then that'd likely create new potential vulnerabilities and might be worth a mention in section 17. _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
