W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2002

is "MUST only if" a MUST?

From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Mon, 17 Jun 2002 09:56:31 -0600 (MDT)
To: ietf-http-wg@w3.org
Message-ID: <Pine.BSF.4.10.10206170954310.36342-100000@measurement-factory.com>

Hi there,

	I cannot decide if the following is a MUST-level requirement
(i.e., its violation prevents RFC 2616 compliance, even conditional):

   13.10 Invalidation After Updates or Deletions
   ...
   In order to prevent denial of service attacks, an invalidation based
   on the URI in a Location or Content-Location header MUST only be
   performed if the host part is the same as in the Request-URI.

Suppose the host part is not the same as in the Request-URI. Let's
also assume that the device did perform an invalidation, subjecting
itself to a potential DoS attack. Did the device violate a MUST-level
requirement? The answer seems to depend on how you bind "only":

	[ ] Yes, this is a MUST-level violation because
		foo MUST only blah if bar
	    implies
		if not bar, foo MUST NOT blah

	[ ] No, this is not a MUST-level violation because
		foo MUST only blah if bar
	    implies just that
		if bar, foo MUST blah
	    and requires nothing when bar is false ("if not bar")
	    
I suspect that the intended interpretation is "yes, this is a MUST
violation". Can anybody confirm? Is there really a problem with the
wording, or am I imagining an ambiguity?

Thank you,

Alex.
Received on Monday, 17 June 2002 11:56:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:18 GMT