- From: Alex Rousskov <rousskov@measurement-factory.com>
- Date: Mon, 17 Jun 2002 09:56:31 -0600 (MDT)
- To: ietf-http-wg@w3.org
Hi there,
I cannot decide if the following is a MUST-level requirement
(i.e., its violation prevents RFC 2616 compliance, even conditional):
13.10 Invalidation After Updates or Deletions
...
In order to prevent denial of service attacks, an invalidation based
on the URI in a Location or Content-Location header MUST only be
performed if the host part is the same as in the Request-URI.
Suppose the host part is not the same as in the Request-URI. Let's
also assume that the device did perform an invalidation, subjecting
itself to a potential DoS attack. Did the device violate a MUST-level
requirement? The answer seems to depend on how you bind "only":
[ ] Yes, this is a MUST-level violation because
foo MUST only blah if bar
implies
if not bar, foo MUST NOT blah
[ ] No, this is not a MUST-level violation because
foo MUST only blah if bar
implies just that
if bar, foo MUST blah
and requires nothing when bar is false ("if not bar")
I suspect that the intended interpretation is "yes, this is a MUST
violation". Can anybody confirm? Is there really a problem with the
wording, or am I imagining an ambiguity?
Thank you,
Alex.
Received on Monday, 17 June 2002 11:56:32 UTC