Last Call Review of draft-ietf-repute-model-07
review-ietf-repute-model-07-secdir-lc-eastlake-2013-09-05-00

Request Review of draft-ietf-repute-model
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-09-10
Requested 2013-08-16
Authors Nathaniel Borenstein, Murray Kucherawy
Draft last updated 2013-09-05
Completed reviews Genart Last Call review of -07 by Roni Even (diff)
Genart Last Call review of -08 by Roni Even (diff)
Genart Last Call review of -08 by Roni Even (diff)
Secdir Last Call review of -07 by Donald Eastlake (diff)
Assignment Reviewer Donald Eastlake
State Completed
Review review-ietf-repute-model-07-secdir-lc-eastlake-2013-09-05
Reviewed rev. 07 (document currently at 10)
Review result Has Nits
Review completed: 2013-09-05

Review
review-ietf-repute-model-07-secdir-lc-eastlake-2013-09-05

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  Document editors and WG chairs should treat these comments just
like any other last call comments.

The Security Consideration section of this draft is fine, considering
how high-level this document is, but I think there are some problems
in the rest of the document as indicated below.

This high-level document describes a general architecture for a
reputation-based service and a model for requesting reputation-related
data over the Internet.

Minor Problems:

Section 1:
  The last sentence of the first paragraph could be read to imply that
lack of authentication is the primary cause of spam. In this era of
botnets, I don't think that's true. Perhaps "... leads to spam,
phishing, and other attacks." should say "... makes spam, phishing,
and other attacks even easier than they would otherwise be." or
something like that.

Section 4.1.1:
  My guess is that the values of a "Rating" are floating point in the
range 0.0 to 1.0 but it doesn't actually say that... If so, why isn't
the example "1.0" said to indicate "exact agreement" or the like
instead of "strong agreement"? Would 2.0 indicate "very strong
agreement".

Section 4.2:
  It appears that "Reputon" and "Response Set" are the same thing. Is
that true? If so, my personal opinion is that, while the word
"Reputon" may be cute, it should just be tossed as superfluous.

Section 5:
  This section seems in some ways like the heart of the document but
is also seems a bit blurry. Even at a high level, I would think that
there could be an explicit cardinality associated with these bullet
items. That is, it should say for each (or for all in the case it is
the same for all of them) if they can be omitted, whether or not they
must occur at least once, and if they can occur multiple times.
  Is "application context" the same as what quality is being rated? I
would think not. For example, couldn't the application be "restaurant
recommendation" and then couldn't there be, say, four ratings, one for
food quality, one for price, one for decor, and one for service? If
so, why isn't what the rating measures an additional bullet item or
part of the rating score item? On the other hand, the rating score
item says "overall rating score" implying there can only be one...

Section 6:
  Suddenly, in this section, for the first time, we have the
capitalized word "Target". Why isn't this defined in Section 4 on
terminology and definitions? I suppose it means something like the
pair of identity of the entity being rated and the application
context?

Trivia:

Section 1:
  In paragraph 3 the definition of "reputation" uses the word
"estimation" in an uncommon way that might confuse some readers. I
think it could use something like the word "esteem" instead. The word
"opinion" could also be used but would require minor corresponding
changes. This occurs within quoted text that looks like it is copied
from somewhere else. If so, shouldn't that source be referenced?

Section3:
  The Figure 1 footer should be on the same page as the figure.

Section 4.1:
  In the last sentence of the 2nd paragraph at the end of page 7, I
would strongly prefer "specify" to "define" but that might be a
personal quirk.