Dear Murray, Done, many thanks!
On Sun, May 22, 2022 at 7:51 AM Murray S. Kucherawy <[email protected]> wrote: > On Fri, May 20, 2022 at 6:08 AM Dmitry Belyavsky <[email protected]> > wrote: > >> On Tue, May 17, 2022 at 7:28 PM Murray S. Kucherawy <[email protected]> >> wrote: >> >>> 1) In Section 3, you have: >>> >>> "The validation rules introduced in RFC 6531 are considered to be >>> followed." >>> >>> I don't quite understand this sentence. Do you mean this? >>> >>> "It is assumed that addresses used with this extension will pass the >>> validation rules introduced in RFC 6531." >>> >>> If not, please clarify. >>> >> >> Yes, we mean this, but we would prefer the following wording: >> "The validation rules introduced in RFC 6531 MUST be followed when >> processing this extension." >> >> Are you OK with this? >> > > Yes, thanks, that's clearer. > > >> >>> >>> 3) For Section 8, I suggest this to get rid of the layered >>> SHOULD/RECOMMENDED: >>> >>> "To reduce the risk of future usability errors, registries SHOULD >>> validate all code points in the domain name of any provided email address >>> according to IDNA2008 [RFC5892]." >>> >>> Then again, usability errors aren't something I would expect to be >>> discussed in a Security Considerations section, so maybe this should be >>> someplace else? >>> >> >> Would you like something like this? >> >> "As email address is often a primary end user contact, invalid email >> address may put the communication with the end user into risk in case when >> such contact is necessary. To reduce the risk of the use of invalid domain >> names in email addresses, registries SHOULD validate the domain name syntax >> in the provided email addresses and validate all code points in the domain >> name according to IDNA2008 [RFC5892]" >> > > That's better, but this still doesn't feel like a security matter to me as > worded. If you want to add a sentence or two about what security threat > exists if this validation isn't done, that makes a better argument. > > >> >>> >>> 4) You might want to say something explicit about all of the EAI >>> security issues also applying to this work. >>> >> >> We have pretty well described security considerations in RFCs 6530 and >> 6531. I think referring to them is a good option. I don't think we have any >> extra security considerations here. >> > > Fine with me. > > >> If you are OK with the suggested changes, I will publish the updated >> draft version ASAP. >> > > Yep, ship it! > > -MSK > -- SY, Dmitry Belyavsky
_______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
