To:
"'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Thu, 17 Oct 2002 14:51:01 -0400
Sender:
owner-ietf-provreg@cafax.se
Subject:
FW: IESG Review Comments
Forwarded with Patrik's permission for the benefit of the WG, these are the comments received back from the IESG's review of the EPP documents. I'll be editing the documents shortly to incorporate the IESG's suggested text changes and others received from the WG over the last few weeks. I've added annotations to number the comments in this message. We're still trying to obtain clarifications for comments 6 and 8. -Scott- -----Original Message----- From: Patrik Fältström [mailto:paf@cisco.com] Sent: Tuesday, October 15, 2002 5:17 AM To: Scott Hollenbeck Cc: Jaap Akkerhuis; Edward Lewis Subject: Discuss on epp documents [Ooopss....I forgot to click on "send", this window has been sitting for a week in my laptop behind the window with the mailboxes....I AM SORRY] From IESG: Steve: 1. > <draft-ietf-provreg-epp-07.txt> Do we put mailing list names and URLs in RFCs? 2. I'd like a stronger Security Considerations section, though I think it can be added by an RFC Editor note. In particular, I want it to say that EPP "MUST NOT be used over a transport mechanism that does not provide confidentiality", or "All transport mappings for EPP MUST provide confidentiality and integrity". (I think that that's what they intend, but it's not clear enough.) 3. > <draft-ietf-provreg-epp-domain-05.txt> What is an "authorization token"? It's not defined, but it's mandated by the security considerations. (I suspect it's what is discussed in 2.6, but it doesn't use the same words.) 4. > <draft-ietf-provreg-epp-contact-05.txt> What is an "authorization token"? It's not defined, but it's mandated by the security considerations. (I suspect it's what is discussed in 2.8, but it doesn't use the same words.) 5. > <draft-ietf-provreg-epp-tcp-05.txt> The Security Considerations section seems to require TLS client authentication, which in turn requires client certificates. Is this intended? If so, great! But in that case, what is the fate, if any, of the EPP login/password command? Is it still needed? Is it still legal? What does it mean? Must the identities agree? (The requirement for server authentication is excellent, but some more text mentioning the need to validate the certificate chain is probably a good idea.) Scott: note: 6. draft-ietf-provreg-epp-07.txt sec 2.1 I think it would be good to be a bit more strict about the use of congestion control protocols specifically require the use of an IETF standards track congestion control protocol such as TCP or SCTP i.e. change the following line: - The transport mapping MUST manage congestion. to: - The transport mapping MUST only be to an IETF standards track congestion control protocol such as TCP or SCTP. Bert: document: draft-ietf-provreg-epp-07.txt 7. page 12, example greeting has: S: <svID>Example EPP server epp.example.tld</svID> in an example greeting. Did we not decide at some point that examples should be of the form: epp.example.org ?? Patrik answers: > We should follow RFC 2606 which states that: > > 3. Reserved Example Second Level Domain Names > > The Internet Assigned Numbers Authority (IANA) also > currently has the > following second level domain names reserved which can be used as > examples. > > example.com > example.net > example.org > > > I.e. using "tld" as an example top level domain is wrong. > > Can you please have a discuss on this? > Sure... it seemed more like a small nit to me, in any event, such a discuss I think can be cleared with a RFC-Editor note. Randy: 8. why do domain/contact/.. not have granular information about privacy?