> -----Original Message----- > From: Salz, Rich <rs...@akamai.com> > Sent: Monday, February 1, 2021 2:22 PM > To: sec...@ietf.org > Cc: draft-ietf-regext-rfc7483bis....@ietf.org; last-c...@ietf.org; > regext@ietf.org > Subject: [EXTERNAL] Re: [secdir] Secdir last call review of draft-ietf-regext- > rfc7483bis-04 > > Caution: This email originated from outside the organization. Do not click > links > or open attachments unless you recognize the sender and know the content > is safe. > > Browser crashed. Here's the real review. > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments > just like any other last call comments. > > The summary of the review is ready with nits. > > I expected to see mention of HTTPS, as opposed to HTTP, in the protocol > definition. At a minimum > HTTPS MUST be used. > In the security considerations. > > I wonder if using "451" status is worthwhile? I can accept either answer. > > As this is a protocol transliteration, the references to other RFC's and > security > considersations seem on-target.
Thanks for the review, Rich. The security services for RDAP are described in RFC 7481, where it says, " HTTP over TLS MUST be used to protect all client-server exchanges unless operational constraints make it impossible to meet this requirement.". I intend to submit a request to move 7481 from Proposed Standard status to Standard status shortly to keep these in synch. Scott _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext