Re: is "MUST only if" a MUST? from Alex Rousskov on 2002-06-22 (ietf-http-wg@w3.org from April to June 2002)

From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Fri, 21 Jun 2002 19:36:42 -0600 (MDT)
To: Jeffrey Mogul <Jeff.Mogul@hp.com>
cc: ietf-http-wg@w3.org
Message-ID: <Pine.BSF.4.10.10206211921060.89423-100000@measurement-factory.com>

Hi Jeff,

	Thanks for the clarification! I agree that the "[] No"
interpretation would make little practical sense, but I am sure that
when our test suite detects this violation, some violators would use
the ambiguity as an excuse. Now I can use your response as a 
munition ;-).

	If there is a chance to update the protocol specs, I think it
would be a good idea to use your new wording. I would also suggest, if
I may, that the words "In order to prevent denial of service attacks,"
are deleted or at least isolated from the MUST requirement in a
separate non-normative statement:

       An invalidation based on the URI in a Location or
       Content-Location header MUST NOT be performed if the host part of
       that URI differs from the host part in the Request-URI. This
       restriction helps prevent denial of service attacks.

Alex.


On Fri, 21 Jun 2002, Jeffrey Mogul wrote:

> Sorry for the slow reply on this:
> 
> Alex Rousskov <rousskov@measurement-factory.com> writes:
> 
>     I cannot decide if the following is a MUST-level requirement
>     (i.e., its violation prevents RFC 2616 compliance, even conditional):
>     
>        13.10 Invalidation After Updates or Deletions
>        ...
>        In order to prevent denial of service attacks, an invalidation based
>        on the URI in a Location or Content-Location header MUST only be
>        performed if the host part is the same as in the Request-URI.
>     
>     Suppose the host part is not the same as in the Request-URI. Let's
>     also assume that the device did perform an invalidation, subjecting
>     itself to a potential DoS attack. Did the device violate a MUST-level
>     requirement? The answer seems to depend on how you bind "only":
>     
> 	[ ] Yes, this is a MUST-level violation because
> 		foo MUST only blah if bar
> 	    implies
> 		if not bar, foo MUST NOT blah
> 
> 	[ ] No, this is not a MUST-level violation because
> 		foo MUST only blah if bar
> 	    implies just that
> 		if bar, foo MUST blah
> 	    and requires nothing when bar is false ("if not bar")
> 	    
>     I suspect that the intended interpretation is "yes, this is a MUST
>     violation". Can anybody confirm? Is there really a problem with the
>     wording, or am I imagining an ambiguity?
>     
> I'm pretty sure that I wrote the text in 13.10 (not 100% sure),
> so I guess this is my problem.  If you can't understand what it
> means, then I guess that does mean that the wording isn't sufficiently
> clear.
> 
> Perhaps this is a clearer wording:
> 
>        In order to prevent denial of service attacks, an invalidation
>        based on the URI in a Location or Content-Location header MUST
>        NOT be performed if the host part of that URI differs from the
>        host part in the Request-URI.
> 
> This corresponds to your "[ ] Yes" alternative above.  The other
> intepretation doesn't seem to prevent any DOS attacks.  (If I had
> meant the other alternative, I would have written something like
> "foo MUST be performed if bar").
> 
> Clear?
> 
> -Jeff
>

Received on Friday, 21 June 2002 21:36:46 UTC