Last Call Review of draft-ietf-stir-passport-shaken-04
review-ietf-stir-passport-shaken-04-genart-lc-palombini-2018-11-02-00

Request Review of draft-ietf-stir-passport-shaken
Requested rev. no specific revision (document currently at 05)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2018-11-02
Requested 2018-10-19
Other Reviews Secdir Last Call review of -04 by Takeshi Takahashi (diff)
Review State Completed
Reviewer Francesca Palombini
Review review-ietf-stir-passport-shaken-04-genart-lc-palombini-2018-11-02
Posted at https://mailarchive.ietf.org/arch/msg/gen-art/vF0GlDKSXmdF9oVrZkwPVPJ6AAE
Reviewed rev. 04 (document currently at 05)
Review result Ready with Issues
Draft last updated 2018-11-02
Review completed: 2018-11-02

Review
review-ietf-stir-passport-shaken-04-genart-lc-palombini-2018-11-02

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

Document: draft-ietf-stir-passport-shaken-04
Reviewer: Francesca Palombini
Review Date: 2018-11-02
IETF LC End Date: 2018-11-02
IESG Telechat date: Not scheduled for a telechat

Summary: This draft is on the right track but has open issues, described in the review.

Major issues: 

* This draft defines the new claim "origid" for the Personal Attestation Token used in the SHAKEN framework, but does not give any privacy considerations about it and its use. [RFC6973] suggests that the privacy considerations of IETF protocols be documented. As required by [RFC7258], work on IETF protocols needs to consider the effects of pervasive monitoring and mitigate them when possible. I don't know SHAKEN well enough to comment on privacy issues on that, but this draft, as part of the IETF work, should have privacy considerations, particularly considering the "origid" claim.

Minor issues:

* Section 4: the term "verified association" is not defined in this document, nor in [RFC8225], nor in the SHAKEN spec referenced. Is there a way to clarify what is meant by it? It could be a reference.

Nits/editorial comments: 

* Terminology: I would have appreciated a short sentence mentioning [RFC8225] in the Terminology section.

* Section 9: [RFC8224] appears without link.

* Acknowledgements: "The authors would like
   acknowledge the work of the ATIS/SIP Forum IP-NNI Task Force to
   develop the concepts behind this document." -> The authors would like to acknowledge ...

I do not repeat nits and editorials reported by Adam Roach in his review of this version of the document (11-19-2018, https://mailarchive.ietf.org/arch/msg/stir/HxVSCLPGfSgwFuvqLkWSVNI0PtQ )