RE: submission of "draft-wilde-sms-uri-registration-00", "draft-wilde-sms-uri-12", and "draft-wilde-sms-service-12" from Larry Masinter on 2006-03-18 (uri@w3.org from March 2006)

From: Larry Masinter <LMM@acm.org>
Date: Sat, 18 Mar 2006 14:14:37 -0800
To: "'Erik Wilde'" <net.dret@dret.net>
Cc: uri-review@ietf.org, uri@w3.org, Claudio.Allocchio@garr.it
Message-id: <000501c64ad9$584e4140$d5f0070a@corp.adobe.com>

> .... any suggestions how to resolve that? [[allowing # in numbers]]

I suggest you try to write down what you think are the rules
for legal numbers in a SMS request, and then after you do that,
try to find an existing BNF somewhere that you can reference.

If RFC 3601 doesn't have a production that matches what you need,
then perhaps this is evidence that RFC 3601 needs an update.
Or else, if you think that perhaps you might want to use
'#' in a SMS number, then define the URI component to be the
%xx-escaped version of the telephone number.

> new: "This attempt to collect information may be a privacy issue, and 
> user agents MAY make users aware of that risk before composing or 
> sending SMS messages."

RFC 3552 section 5 "Writing Security Considerations Sections" gives
guidelines that you should 

(a) describe the threat
(b) how might you mitigate the threat
(c) what are the residual risks after threat mitigation


I think you've sort of identified the risk ('a privacy issue'),
the mitigation ('make users aware') but not the residual risk.
And I think it is misuse of the normative 'MAY' to describe something
so vague as 'make users aware of that risk'.

> > Back in the sms-uri document, the wording of 
> > "if an sms URI contains a pid-qualifier and the user agent
> > supports the qualifier and its value, then the user agent MUST ..."
> > since the MUST is preconditioned by a situation entirely
> > within the user agent's control.

> i don't get this one. is it not allowed to have a MUST if the control is 
> at the user agent? i guess this is just what i want to do here, i want 
> to say what a user agent MUST do under certain circumstances.

I'm just confused about what those 'certain circumstances' are,
since the word 'support' has so many vague meanings. 

Re security considerations:
> do you suggest do re-write or re-phrase the whole section or 
> just parts of it?

each part, be clearer about the risk, mitigation, residual threat.

> right now it is a set of issues which are often unrelated, so i 
> assume your comment is about all or most issues and not about 
> specific one you find hard to understand?

Received on Saturday, 18 March 2006 22:15:34 UTC