Draft: draft-jennings-impp-vcard-07 Reviewer: Spencer Dawkins [spencer@mcsr-labs.org] Review Date: Tuesday 8/1/2006 6:51 PM IETF LC Date: 8/24/2006 Summary: this draft is almost ready for publication as a Proposed Standard RFC. I have two questions, which may very well be my own confusions, but wanted to ask before Last Call ended... I have no editorial nits for this draft - thanks! It was clean and easy to understand... ----------------- 1. Overview The normative definition of this new vCard type is given in Section 2, and an informational ABNF is provided in Section 3. I may be more confused than usual, but section 3 looked fairly "normative" to me. At the very least, I was confused because the following text: 2. IANA Considerations Type special notes: The type can include the type parameter "TYPE" to specify an intended use for the URI. The TYPE parameter values can include: o An indication of the type of communication for which this URI is appropriate. This can be a value of PERSONAL or BUSINESS. o An indication of the location of a device associated with this URI. Values can be HOME, WORK, or MOBILE. o The value PREF indicates this is a preferred address and has the same semantics as the PREF value in a TEL type. seemed to say "or can include other values, not described here, and they happen to be described in the informative ABNF", and Additional information can be found in _RFCAAAA_. _[Note to IANA: Please replace AAAA with the RFC number for this specification.]_ seemed to say that the normative text (from section 2) pointed outside the normative text (presumably including section 3) - is this making any sense? 5. Security Considerations This does not introduce additional security issues beyond the current vCard specification. It is worth noting that many people consider their presence information more sensitive than other address information. Any system that stores or transfers vCards needs to carefully consider the privacy issues around this information. I understand the problem here, and there's probably not anything else you can do, but would it make sense to explicitly say "deployed applications that process vCards as blobs won't know that vCards now contain more sensitive information than previously, and system administrators should be aware of this"?