Mario, From: regext <regext-boun...@ietf.org> on behalf of Mario Loffredo <mario.loffr...@iit.cnr.it> Date: Tuesday, November 9, 2021 at 7:46 AM To: "regext@ietf.org" <regext@ietf.org> Subject: [regext] Fwd: RDAP JSContact feedback
7. Security Considerations “The only mandatory property, namely "uid", is usually an opaque string.” Do we need to clarify further here, given “uid” would be a non-opaque handle in jscard? [ML] Sorry but I didn't catch this. Did you mean that "uid" in jscard could disclose some sensitive contact information? [JS] That’s an interesting question. In contrast with a UUID for a “uid”, a handle might disclose. But, I was simply reacting to the “usually an opaque string” phrase given we have a SHOULD for “uid” being a handle. Meaning, in our case, it would more likely be a handle (less opaque) than a UUID (more opaque). [ML] UUID is not the only value accepetd for "uid" in JSContact (see https://datatracker.ietf.org/doc/html/draft-ietf-jmap-jscontact-08#section-2.1.2), both URI and free-form text are accepted. Maybe opaque is not the right term. I'll rearrange the sentence to mean that the only required property in JSContact is not a sensitive information as it happens with fn for jCard. [JS] Yes, that’ll clarify. Thanks, Jasdip
_______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext