Re: Ben Campbell's Yes on draft-ietf-httpbis-expect-ct-07: (with COMMENT)

Hi Ben,

Just one comment -

> On 11 Sep 2018, at 7:13 pm, Ben Campbell <ben@nostrum.com> wrote:
> 
> Ben Campbell has entered the following ballot position for
> draft-ietf-httpbis-expect-ct-07: Yes
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thanks for this work. I'm balloting "Yes", but I have a few minor comments.
> 
> Substantive:
> 
> §2.1, step 6: Is there no room for local policy here?
> 
> §2.1.3: The guidance for max-age in the security considerations section
> suggests 30 days is a good value. But the directive is specified in seconds.
> Does that make sense? Would a 1 second max-age ever be reasonable? Or even 30
> days + 1 second?

Pretty much everything in HTTP is done at second granularity; deviating from that would be odd IMO.

Cheers,

> 
> Editorial:
> 
> - General: This uses a non-standard section order towards the end.
> Conventionally the last 2 sections should be security considerations and IANA
> considerations (although the order between those two varies.)
> 
> §2.2.2: The second sentence is about UA behavior. It seems like that belongs
> somewhere under §2.3.
> 
> §2.3: "SHALL be canonicalized"
> By the UA?  (The use of passive voice here obscures the actor.)
> 
> 

--
Mark Nottingham   https://www.mnot.net/

Received on Wednesday, 12 September 2018 16:04:04 UTC