This is re-review of the draft I already reviewed at 2011-03-03. The
current draft contains some small changes done since, but I do not
think it solves the issues I raised in my previous review:

1) The confidentiality is not mandatory even in the cases where the
   database contains sensitive elements (passwords), it is only
   SHOULD.

2) The privacy issues is not covered enough. The current version added
   specific pointer to the section 11.2 of RFC5239, but that only
   covers one very small privacy issue, i.e. anonymous access. It does
   not cover gathering sensitive privacy information in the database,
   i.e. who participated which conferences and with whom.

My previous review can be found in


http://www.ietf.org/mail-archive/web/secdir/current/msg02482.html

 
-- 
kivinen at iki.fi