Last Call Review of draft-ietf-appsawg-webfinger-11

Request Review of draft-ietf-appsawg-webfinger
Requested rev. no specific revision (document currently at 18)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2013-03-18
Requested 2013-03-07
Authors Paul Jones, Gonzalo Salgueiro, Michael Jones, Joseph Smarr
Draft last updated 2013-03-16
Completed reviews Genart Last Call review of -11 by Brian Carpenter (diff)
Genart Telechat review of -12 by Brian Carpenter (diff)
Assignment Reviewer Brian Carpenter 
State Completed
Review review-ietf-appsawg-webfinger-11-genart-lc-carpenter-2013-03-16
Reviewed rev. 11 (document currently at 18)
Review result Ready with Issues
Review completed: 2013-03-16


Please see attached review.


I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-appsawg-webfinger-11.txt
Reviewer: Brian Carpenter
Review Date: 2013-03-16
IETF LC End Date: 2013-03-18
IESG Telechat date: 2013-03-28

Summary:  In good shape, one big question


The draft was updated during Last Call, which I thought was not normal practice.
This review is of the updated draft, not the one that was Last Called.

Technically, the draft looks very good as far as my knowledge goes.

Major Issues:  

There is no explicit discussion of privacy in the draft, which seems to
me to carry evident privacy risks. For example, imagine an ISP that
kindly decides to support webfinger for all customers by default,
and preloads personally identifiable information without consent.

There is some relevant text in the Security Considerations:

   Further, WebFinger MUST NOT be used to provide any personal
   information to any party unless explicitly or implicitly authorized
   by the person whose information is being shared.

However, the weakness there is the words "or implicitly". IANAL, but it
seems highly likely that would be illegal in the European Union, at least.

Has the draft been validated against the guidelines in draft-iab-privacy-considerations?