On Fri, May 20, 2022 at 6:08 AM Dmitry Belyavsky <[email protected]> wrote:
> On Tue, May 17, 2022 at 7:28 PM Murray S. Kucherawy <[email protected]> > wrote: > >> 1) In Section 3, you have: >> >> "The validation rules introduced in RFC 6531 are considered to be >> followed." >> >> I don't quite understand this sentence. Do you mean this? >> >> "It is assumed that addresses used with this extension will pass the >> validation rules introduced in RFC 6531." >> >> If not, please clarify. >> > > Yes, we mean this, but we would prefer the following wording: > "The validation rules introduced in RFC 6531 MUST be followed when > processing this extension." > > Are you OK with this? > Yes, thanks, that's clearer. > >> >> 3) For Section 8, I suggest this to get rid of the layered >> SHOULD/RECOMMENDED: >> >> "To reduce the risk of future usability errors, registries SHOULD >> validate all code points in the domain name of any provided email address >> according to IDNA2008 [RFC5892]." >> >> Then again, usability errors aren't something I would expect to be >> discussed in a Security Considerations section, so maybe this should be >> someplace else? >> > > Would you like something like this? > > "As email address is often a primary end user contact, invalid email > address may put the communication with the end user into risk in case when > such contact is necessary. To reduce the risk of the use of invalid domain > names in email addresses, registries SHOULD validate the domain name syntax > in the provided email addresses and validate all code points in the domain > name according to IDNA2008 [RFC5892]" > That's better, but this still doesn't feel like a security matter to me as worded. If you want to add a sentence or two about what security threat exists if this validation isn't done, that makes a better argument. > >> >> 4) You might want to say something explicit about all of the EAI security >> issues also applying to this work. >> > > We have pretty well described security considerations in RFCs 6530 and > 6531. I think referring to them is a good option. I don't think we have any > extra security considerations here. > Fine with me. > If you are OK with the suggested changes, I will publish the updated draft > version ASAP. > Yep, ship it! -MSK
_______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
