Please see attached review. Brian I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-appsawg-webfinger-11.txt Reviewer: Brian Carpenter Review Date: 2013-03-16 IETF LC End Date: 2013-03-18 IESG Telechat date: 2013-03-28 Summary: In good shape, one big question -------- Comments: --------- The draft was updated during Last Call, which I thought was not normal practice. This review is of the updated draft, not the one that was Last Called. Technically, the draft looks very good as far as my knowledge goes. Major Issues: ------------- There is no explicit discussion of privacy in the draft, which seems to me to carry evident privacy risks. For example, imagine an ISP that kindly decides to support webfinger for all customers by default, and preloads personally identifiable information without consent. There is some relevant text in the Security Considerations: Further, WebFinger MUST NOT be used to provide any personal information to any party unless explicitly or implicitly authorized by the person whose information is being shared. However, the weakness there is the words "or implicitly". IANAL, but it seems highly likely that would be illegal in the European Union, at least. Has the draft been validated against the guidelines in draft-iab-privacy-considerations?