[apps-discuss] Reivew of draft-johansson-loa-registry
Ted Hardie <ted.ietf@gmail.com> Fri, 06 April 2012 18:59 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A777C21F84A5; Fri, 6 Apr 2012 11:59:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_83=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZXX2VuUCkHp9; Fri, 6 Apr 2012 11:59:53 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id A4EBB21F84BD; Fri, 6 Apr 2012 11:59:53 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so1584865vbb.31 for <multiple recipients>; Fri, 06 Apr 2012 11:59:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=ZYFTGUaDocOFSkOMTywvCWzl0FJKSSGnMR5PPLMNF6U=; b=EBNTTMQwkCaoac8S+biDYmKqPoRH8rgKR7VBxW3yl/U1UctXUz4KLSaFfTDTXUr838 Y5+QyE5N94WXr/Cei0H17Rx4L1m6nwPEJf45b1TlbeFuIZ+qaWFClUT3raDlDx8aldCt 7K4NkOe7RrEmgSSjwEuopKxllty21eoEmOPQNJbe2ZVr6bxk+xA+/wQepvJsHm8xc3iv 2bDjgyQ+NeXL8wifcX9EcUcchkZbAQyAx9iBtaWjXjcQ92W3PnfxwxfDaBqeu6U3QgCP 3gG1tSRYEaaz+nrCAxc2LBiIlzufW+5GTMxnGUvggoaEUXGXDrIZDluTYZBlp34bR0wU uBkQ==
MIME-Version: 1.0
Received: by 10.52.88.2 with SMTP id bc2mr2515248vdb.82.1333738793149; Fri, 06 Apr 2012 11:59:53 -0700 (PDT)
Received: by 10.52.162.99 with HTTP; Fri, 6 Apr 2012 11:59:53 -0700 (PDT)
Date: Fri, 06 Apr 2012 11:59:53 -0700
Message-ID: <CA+9kkMC0vnzoHMVwfNYFrjhMLoCSArj6r+XBgevAx6+f5cfCxQ@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: apps-discuss@ietf.org, draft-johansson-loa-registry.all@tools.ietf.org, IESG <iesg@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [apps-discuss] Reivew of draft-johansson-loa-registry
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2012 18:59:54 -0000
I have been selected as the Applications Area Directorate reviewer for this draft (for background on appsdir, please see http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate). Please resolve these comments along with any other Last Call comments you may receive. Please wait for direction from your document shepherd or AD before posting a new version of the draft. Document: draft-johansson-loa-registry Reviewer:Ted Hardie Review Date: April 6, 2012 Summary: There are some clarifications needed to ensure that the resulting registry is as useful as possible. Major Issues: The document currently describes a registry primarily focused on SAML Authentication Context Profiles, but with the understanding that other protocols may re-use the registry contents in their own contexts: Although the registry will contain URIs that reference SAML Authentication Context Profiles other protocols MAY use such URIs to represent levels of assurance definitions without relying on their SAML XML definitions. Use of the registry by protocols other than SAML or OpenID Connect is encouraged. Each registration contains a URI, a schema definition, a short name, and an informational URL. It is not clear, however, whether these URIs must be unique across registrations. Would it be possible, for example, to have a non-SAML usage documented in this registry by having it re-register with an existing URI, but a different informational URL? I believe this point should be made explicit as guidance to the expert reviewers. The document uses ABNF to describe the required format of the short name, but there is no reference for ABNF given; presumably RFC5234 should be included as a reference. The ABNF in the document excludes specific prefixes (LOA, AL) in order to avoid non-descriptive short names, but it is not clear why it also excludes all-digit references. In general, the use of the ABNF for this seems fairly clumsy, and I would suggest that the document shift this from ABNF determinism to advice (to both registrants and expert reviewers), to help ensure that the resulting names are useful. There are a host of equally problematic possibilities (saml-loa-10, for example) that good guidance would better avoid than ABNF rules. For the "informational URL" definition, a list of permitted URI schemes might be useful, as it is not clear whether a contact-only URI would be acceptable. The document says: Informational URL: A URL containing auxilliary information. This URL MUST minimally reference contact information for the administrative authority of the level of assurance definition. Would an informational URL of mailto:loa-registrant@example.org be acceptable? Minor Issues: The example given in 3.1 does not give an information URL, but the registration template implies that this field is mandatory. In 4.1, the document twice uses the term "bona fide" to describe entries: The expectation of the IANA LoA Registry is that it contain bona fide Level of Assurance Profiles while not presenting a very high bar for entry. Expert reviewers SHOULD NOT place undue value in any percieved or actual quality of the associated trust framework or federation and SHOULD only exclude such registrations that in the view of the experts do not represent bona fide attempts at defining an LoA. I suggest that "good faith" be used to replace at least one of these, to clarify the meaning. Nits: [list editorial issues such as typographical errors, preferably by section number] I personally found the Introduction somewhat hard to parse, and I believe it would be improved by bringing paragraphs two and three forward, then following them with the gist of paragraphs one and four. In the Acknowledgements Section: The various versions of the draft was socialized should be "were socialized".
- [apps-discuss] Reivew of draft-johansson-loa-regi… Ted Hardie
- Re: [apps-discuss] Reivew of draft-johansson-loa-… Leif Johansson
- Re: [apps-discuss] Reivew of draft-johansson-loa-… Ted Hardie
- Re: [apps-discuss] Reivew of draft-johansson-loa-… Leif Johansson