Re: Comments on the HTTPbis draft, v20

------ Original Message ------
From: "Amos Jeffries" <squid3@treenet.co.nz>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Sent: 6/09/2012 12:35:27 p.m.
Subject: Re: Comments on the HTTPbis draft, v20
>On 06.09.2012 08:07, Roy T. Fielding wrote: 
>>On Sep 5, 2012, at 10:13 AM, Adrian Custer wrote: 
>>
>>>This mail contains some initial editorial comments, questions, and 
>>>recommendations for the httpbis draft 
>>>(http://tools.ietf.org/wg/httpbis/), version 20. 
>>
>>Please note that p1 and p2 are under extensive reconstruction right 
>>now, 
>>much of which involves targeting the requirements. p1's sections 1-4 
>>are relatively stable, but I suggest you wait on the rest of your 
>>review 
>>of p1 and p2 until drafts 21 are out. Draft 20 of p4-p7 are currently 
>>in 
>>WGLC and would be a better target for careful review right now. 
>>
>>I'll have a look at what you mention as I run through p1. However, 
>>please note that your understanding of SHOULD is incorrect: it is to 
>>be used in cases where the list of conditions for not complying are 
>>*not* known in advance. When compliance is bound by a specific set of 
>>conditions, then we say "X MUST do this except when ...". 
>>
>>Also, the lack of a requirement that servers send a response is 
>>on purpose. See discussion of denial-of-service attacks. Perhaps 
>>what is should say is "MUST send a response or close the connection". 
>
>+1. "MUST send a conformant response or close the connection" would be 
>good to explicitly mention that early on. 
Actually I don't even thing we should prescribe that.

It could be interesting to simply leave the connection open.  E.g. 
continue to tie up resources at an attacker, without taking on the cost 
of sending a RST back.  

The server should be free to do whatever it wants.  If it chooses to 
send a response, then it should be compliant.

Adrien



>
>
>AYJ 
>
>

Received on Thursday, 6 September 2012 00:56:54 UTC