Deb Cooley has entered the following ballot position for draft-ietf-netmod-rfc8407bis-25: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-netmod-rfc8407bis/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I am balloting 'no objection', but I am serious about these comments. It should always be a goal for an RFC (at whatever level) to be clear, concise, and understandable. My comments below all reflect that goal: Thank you to Yoav Nir for their secdir review. Section 1.1: This is long and incomprehensible unless one is intimately familiar with the original RFC. Recommend moving it to either a later section or to an Appendix. Section 3.7, general: The word 'especially' is not defined. What does 'especially disruptive' vs merely 'disruptive' mean? What about 'especially sensitive information' vs merely 'sensitive information'? Either remove these descriptors or define what they mean. Section 3.7.1, para 3: Why not 'MUST use' vs 'have to use' for both the requirement for secure transport and mutual authentication? Section 3.7.1: This comment applies to every place in this section that uses the word 'particularly'. What makes data 'particularly sensitive'? Is it defined somewhere? Again, the descriptor (particularly) doesn't actually help to define what makes data more or less sensitive, or contain more or less vulnerabilities. Is it merely up to the editors of the draft to decide? What if I, as the editor, decide that the lifetime symmetric key variable, written into a Yang data module isn't 'particularly sensitive', would that be ok? As it is my choice as the editor? [I will note that RFC8341 puts the word 'particular' in front of nearly every noun in the draft, also with no explanation of what makes any of those users, requests, protocols, etc special, or hmmm particular.] Section 6, last sentence: Are there new or increased security risks that don't need to be discussed? Please remove the phrase 'that need to be discussed' as it just raises more questions about what isn't being said. _______________________________________________ netmod mailing list -- netmod@ietf.org To unsubscribe send an email to netmod-le...@ietf.org
