----- Original Message -----
From: "Barry Leiba" <barryleiba(_at_)computer(_dot_)org>
To: "t.p." <daedulus(_at_)btconnect(_dot_)com>
Cc: "IETF discussion list" <ietf(_at_)ietf(_dot_)org>
Sent: Monday, October 14, 2013 4:31 PM
I find the security considerations in this registration rather weak.
What might have sufficed in 2005 seems to me inadequate for 2013. I
would expect a clearer statement of what are or are not considered
threats or attacks and what mitigations there then are for them.
Tom, do you have specific suggestions for the authors in this regard.
Looking at an unrelated media/type RFC, it starts with
The main security considerations for the ....
payload format defined within this memo are confidentiality,
integrity, and source authenticity.
which is the sort of beginning I expect a Security Considerations to
have in 2013, then going on to say which are relevant here and
how they might be mitigated - CMS, IPsec, TLS; or not as the case
may be.
I see this type as one for database data and so requiring more
careful consideration than, eg, text/plain, as used for messages
like this one.
Tom Petch
Barry