Sorry for the slow reply on this: Alex Rousskov <rousskov@measurement-factory.com> writes: I cannot decide if the following is a MUST-level requirement (i.e., its violation prevents RFC 2616 compliance, even conditional): 13.10 Invalidation After Updates or Deletions ... In order to prevent denial of service attacks, an invalidation based on the URI in a Location or Content-Location header MUST only be performed if the host part is the same as in the Request-URI. Suppose the host part is not the same as in the Request-URI. Let's also assume that the device did perform an invalidation, subjecting itself to a potential DoS attack. Did the device violate a MUST-level requirement? The answer seems to depend on how you bind "only": [ ] Yes, this is a MUST-level violation because foo MUST only blah if bar implies if not bar, foo MUST NOT blah [ ] No, this is not a MUST-level violation because foo MUST only blah if bar implies just that if bar, foo MUST blah and requires nothing when bar is false ("if not bar") I suspect that the intended interpretation is "yes, this is a MUST violation". Can anybody confirm? Is there really a problem with the wording, or am I imagining an ambiguity? I'm pretty sure that I wrote the text in 13.10 (not 100% sure), so I guess this is my problem. If you can't understand what it means, then I guess that does mean that the wording isn't sufficiently clear. Perhaps this is a clearer wording: In order to prevent denial of service attacks, an invalidation based on the URI in a Location or Content-Location header MUST NOT be performed if the host part of that URI differs from the host part in the Request-URI. This corresponds to your "[ ] Yes" alternative above. The other intepretation doesn't seem to prevent any DOS attacks. (If I had meant the other alternative, I would have written something like "foo MUST be performed if bar"). Clear? -JeffReceived on Monday, 24 June 2002 10:41:09 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:22:10 GMT