Christer: Many thanks for your review. Much appreciated.
Thank you Scott for addressing things that Christer brought up. I do agree with you though that detailed treatment of WHOIS is out of scope for this document. Jari On 21 Oct 2014, at 18:56, Christer Holmberg <christer.holmb...@ericsson.com> wrote: > Hi Scott, > > See inline. > > Q1_GENERAL: > > In the Introduction, you say that one of the goal of RDAP is to provide > security services, that do not exist in WHOIS. > > However, in section 3 you then say that RDAP doesn’t provide any of these > security services, but relies on other protocols. > > First, I think you need to re-formulate the text in the Introduction, and > talk about how other protocols can be used to provide security services for > RDAP. > [SAH] The introduction currently states “This document describes how each of > these services is achieved by RDAP”. The details are described in later > sections. I’m comfortable with changing “This document describes how each of > these services is achieved by RDAP” to “This document describes how each of > these services is achieved by RDAP using features that are available in other > protocol layers”, but I think it’s more appropriate to leave the details > where they are and not replicate them in the introduction. > > [Christer] Sure, you don’t need to put the details in the introduction. The > point is to make it clear that RDAP itself does not provide security > services, and the text change you suggest look fine. > > Second, there is no text on why “other protocols” couldn’t be used to provide > security services for WHOIS. I think you need to > say that, if you want to claim that RDAP provides better security than WHOIS. > [SAH] This document isn’t focused on WHOIS deficiencies. The reference to RFC > 3912 provides a pointer to WHOIS and its lack of security services. > > [Christer] > > There is text saying: > > “One goal of RDAP is to provide security services that do not exist in the > WHOIS [RFC3912] protocol” > > But, as RDAP doesn’t provide security services, isn’t that statement > misleading? I think you should say that the security services that this > document provides for RDAD do not exist for WHOIS. > > > Q2_GENERAL: > > In some places you say that additional/alternative mechanisms > may be defined in the future. I think it would be good to in > the Introduction indicate that additional/alternative mechanisms can be added > in the future. > [SAH] OK, that’s reasonable. > > Q3_GENERAL: > > You start some subsections by describing what WHOIS > does/doesn’t do. I think you should first describe of > the specific security service is provided for RDAP, and then later describe > e.g. why the same cannot be provided > for WHOIS > [SAH] Since this document isn’t focused on WHOIS deficiencies I don’t think > this is necessary. > > [Christer] My point was that you begin the sections by describing what WHOIS > does/doesn’t do, and that I think you should begin by describing the RDAP > procedures. > > So, I am not asking for more text, but simply to move some existing text > around :) > > > Q4_3_1_1: > > Section 3.1.1. says: “Federated authentication mechanisms used > by RDAP are OPTIONAL.” > > That statement is confusing. Does it mean that everything else > in the document is mandatory to support? > [SAH] Good point. I can modify that sentence and the second sentence in that > paragraph as follows: > > “Federated authentication mechanisms MAY be used by RDAP. If used, they MUST > be fully supported by HTTP.” > > [Christer] Well, if you say “MAY use federated authentication”, the questions > whether the other mechanisms are mandatory still remain. > > Perhaps you could simply say: > > “If federated authentication mechanism is used with RDAP, they > MUST be fully supported by HTTP.” > > Q5_3_3: > > The name of section 3.3 is “Availability”. I don’t see how that > is a security service, and the text mostly talks about > throttling. Would it be more appropriate to say “Request throttling” instead? > [SAH] The property of availability is described in Section 4 of RFC 4949. I > believe the text is appropriate as-is. > > [Christer] Ok. > > > Q6_3_4: > > Section 3.4 says: > > “Web services such as RDAP commonly use HTTP Over TLS [RFC2818] > to provide that protection by encrypting all > traffic sent on the connection between client and server.” > > To me that sounds like something from a BCP document. I think > you should say that the document defines > the usage of HTTP over TLS for providing the security service. > [SAH] OK. I can change the sentence to “RDAP SHOULD use HTTP Over TLS > [RFC2818] to provide that protection by encrypting all traffic sent on the > connection between client and server”. I’m sure there are people who will > suggest that MUST is better than SHOULD, but that adds a requirement that > hasn’t been discussed in the WG. WG chairs – what do you think? > > [Christer] SHOULD normally means that it should also be described when it > does not apply. However, your suggested text look fine, and I’ll leave it up > to you to decide whether to use SHOULD or MUST. > > Regards, > > Christer > _______________________________________________ > Gen-art mailing list > Gen-art@ietf.org > https://www.ietf.org/mailman/listinfo/gen-art
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www.ietf.org/mailman/listinfo/gen-art