Re: is "MUST only if" a MUST? from Jeffrey Mogul on 2002-06-21 (ietf-http-wg@w3.org from April to June 2002)

From: Jeffrey Mogul <Jeff.Mogul@hp.com>
Date: Fri, 21 Jun 2002 19:22:03 -0400 (EDT)
To: Alex Rousskov <rousskov@measurement-factory.com>
cc: ietf-http-wg@w3.org
Message-Id: <200206212321.g5LNLtD2016717@wera.hpl.hp.com>

Sorry for the slow reply on this:

Alex Rousskov <rousskov@measurement-factory.com> writes:

    I cannot decide if the following is a MUST-level requirement
    (i.e., its violation prevents RFC 2616 compliance, even conditional):
    
       13.10 Invalidation After Updates or Deletions
       ...
       In order to prevent denial of service attacks, an invalidation based
       on the URI in a Location or Content-Location header MUST only be
       performed if the host part is the same as in the Request-URI.
    
    Suppose the host part is not the same as in the Request-URI. Let's
    also assume that the device did perform an invalidation, subjecting
    itself to a potential DoS attack. Did the device violate a MUST-level
    requirement? The answer seems to depend on how you bind "only":
    
	[ ] Yes, this is a MUST-level violation because
		foo MUST only blah if bar
	    implies
		if not bar, foo MUST NOT blah

	[ ] No, this is not a MUST-level violation because
		foo MUST only blah if bar
	    implies just that
		if bar, foo MUST blah
	    and requires nothing when bar is false ("if not bar")
	    
    I suspect that the intended interpretation is "yes, this is a MUST
    violation". Can anybody confirm? Is there really a problem with the
    wording, or am I imagining an ambiguity?
    
I'm pretty sure that I wrote the text in 13.10 (not 100% sure),
so I guess this is my problem.  If you can't understand what it
means, then I guess that does mean that the wording isn't sufficiently
clear.

Perhaps this is a clearer wording:

       In order to prevent denial of service attacks, an invalidation
       based on the URI in a Location or Content-Location header MUST
       NOT be performed if the host part of that URI differs from the
       host part in the Request-URI.

This corresponds to your "[ ] Yes" alternative above.  The other
intepretation doesn't seem to prevent any DOS attacks.  (If I had
meant the other alternative, I would have written something like
"foo MUST be performed if bar").

Clear?

-Jeff

Received on Monday, 24 June 2002 10:41:09 UTC