W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

Review of RFC2518bis pre-draft

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 09 Dec 2005 20:35:22 +0100
Message-ID: <4399DC7A.60209@gmx.de>
To: WebDAV <w3c-dist-auth@w3.org>

...as of today; as seen at 
This review mainly covers minor changes compared to -08 which 
(hopefully) do not need a BugZilla entry. Please try to fix those before 
submitting a new draft.

3. Terminology

Inconsistent typography (":" vs "-")

"A URI mapping can be thought of as a URL pointing to a resource."

I'm not sure what this is supposed to mean. Please remove it or clarify.

7.6  Write Locks and Unmapped URLs

    A successful lock request to an unmapped URL MUST result in the
    creation of an locked resource with empty content.  Subsequently, a
    successful PUT request (with the correct lock token) provides the
    content for the resource, and the server MUST also use the content-
    type and content-language information from this request.

Making this a MUST creates a conflict with an upcoming TAG finding by 
Roy Fielding.

8.2.6 Example - Using 'allprop' to Retrieve Dead Properties and RFC2518 


- move it back where it was in RFC2518
- avoid the term RFC2158 properties in the title
- XML in example to be fixed, for instance whitespace in D:getlastmodified
- intra-doc reference to Section 13 is incorrect

Obviously this has been copied verbatim from RFC2518 without any sanity 


    200 (OK) - The property set or change succeeded.  Note that if this
    appears for one property, it MUST appear for every property in the
    response, due to the atomicity of PROPPATCH.

(2nd sentence) Again, this is correct, but

a) doesn't really need to be mentioned,

b) but if is mentioned, then using MUST is incorrect here. This is imply 
an observation based on normative text somewhere else, not a new interop 


    WebDAV adds some requirements to DELETE handling.  Locks rooted on a
    resource MUST be destroyed in a successful DELETE of that resource.

This is still a lame way to introduce DELETE. Please move the second 
sentence somewhere else, potentially a subsection (see also 

8.9.5  Status Codes

    403 (Forbidden) - The operation is forbidden.  A special case for
    COPY could be that the source and destination resources are the same

Confusing. Servers may treat this as a nop, just returning 200. Just be 
silent about it.

8.10.4  Status Codes

    204 (No Content) - The source resource was successfully moved to
    overwrite pre-existing destination resource.

Sentence broken compared to -08.

    403 (Forbidden) - In addition to general reasons for forbidding a
    MOVE operation, it could be that the source and destination resources
    are the same.

And being source and destination identical would be a problem exactly why?

12.1  Response headers

    Use of the Location header with the Multi-Status response is
    intentionally undefined.  The server MAY always redirect the entire
    request by responding with a 300 level status response instead of a
    Multi-Status response.

This section doesn't provide any useful information. In particular, the 
second sentence seems to be completely out of context.

12.2  URL handling

    When a Multi-Status body is returned in response to a PROPFIND or
    another request with a single scope (no Destination header), it can
    contain one or more 'response' element with an 'href' element for the
    URL of the resource described in that 'response' element.  Each of

And in the other case this is not true?

    these response URLs MUST be equal to or inside the Request-URI.  The
    response URLs MAY be absolute or relative references but MUST NOT
    include "." or ".." as path elements.

URLs never are relative references. There is no such thing as an 
absolute reference.

    If a response URL is relative reference, it MUST be resolved against
    the Request-URI.  A relative reference MUST be an absolute path (note
    that clients are not known to support relative paths).

May I again recommend to just use the text I proposed earlier? It uses 
the proper terminology from RFC3986.

    URLs for collections appearing in the results SHOULD end in a '/'

And the rule does not apply if it's not a URL, such as a relative reference?

    If a server allows resource names to include characters that aren't
    legal in HTTP URL paths, these characters must be URI-escaped on the

Again, terminology. It's called "Percent-Encoding", and we should refer 
to the exact section in RFC3986.

    wire.  For example, it is illegal to use a space character or double-
    quote in a URI.  URIs appearing in PROPFIND or PROPPATCH XML bodies
    (or other XML marshalling defined in this specification) are still
    subject to all URI rules, including forbidden characters.

12.3  Handling redirected child resources

    Redirect responses (300-303, 305 and 307) defined in HTTP 1.1
    normally take a Location header to indicate the new URI for the
    single resource redirected from the Request-URI.  Multi-Status
    responses contain many resource addresses, but the original
    definition in RFC2518 did not have any place for the server to
    provide the new URI for redirected resources.  This specification
    does define a 'location' element for this information (see
    Section 13.9).  Servers MAY use this new element or MAY stick with
    the original syntax.

Sounds like "We don't care what servers do".

19.7  Risks Connected with Lock Tokens

    This specification encourages the use of "A Universally Unique
    Identifier (UUID) URN Namespace" ([RFC4122]) for lock tokens
    Section 6.3, in order to guarantee their uniqueness across space and
    time.  The security considerations for UUIDs do not apply because
    WebDAV does not assume that lock tokens are supposed to be hard to

Wow! They don't apply? Why can't we just stick with what RFC2518 said,
just updating what needs to be updated, and leaving the rest alone?
Proposed text:

    This specification, in Section 6.3, encourages the use of Universal
    Unique Identifiers (UUIDs) in lock tokens, in order to guarantee
    their uniqueness across space and time.  Version 1 UUIDs, as defined
    in Section 4 of [RFC4122], may contain a "node" field which "consists
    of an IEEE 802 MAC address, usually the host address.  For systems
    with multiple IEEE 802 addresses, any available one can be used".
    Since a WebDAV server will issue many locks over its lifetime, the
    implication is that it may also be publicly exposing its IEEE 802

    There are several risks associated with exposure of IEEE 802
    addresses.  Using the IEEE 802 address:

    o  It is possible to track the movement of hardware from subnet to

    o  It may be possible to identify the manufacturer of the hardware
       running a WebDAV server.

    o  It may be possible to determine the number of each type of
       computer running WebDAV.

    This risk only applies to host address based UUID versions.  Section
    4 of [RFC4122] describes several other mechanisms for generating
    UUIDs that do involve the host address and therefore do not suffer
    from this risk.

22.1 Normative References

[2518] still appears under "normative".

Best regards, Julian
Received on Friday, 9 December 2005 19:48:28 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:34 UTC