Re: Fwd: SECDIR review of draft-ietf-httpbis-alt-svc-12 from Julian Reschke on 2016-02-25 (ietf-http-wg@w3.org from January to March 2016)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 25 Feb 2016 13:44:25 +0100
To: Mark Nottingham <mnot@mnot.net>, HTTP WG <ietf-http-wg@w3.org>
Message-ID: <56CEF729.4010800@gmx.de>

On 2016-02-22 18:45, Julian Reschke wrote:
> On 2016-02-22 00:43, Mark Nottingham wrote:
>> FYI; we got a secdir review of alt-svc, with some editorial issues.
>>
>>
>>> Begin forwarded message:
>>>
>>> From: Mark Nottingham <mnot@mnot.net>
>>> Subject: Re: SECDIR review of draft-ietf-httpbis-alt-svc-12
>>> Date: 22 February 2016 at 10:42:02 AM AEDT
>>> To: Chris Lonvick <lonvick.ietf@gmail.com>
>>> Cc: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org"
>>> <secdir@ietf.org>, draft-ietf-httpbis-alt-svc.all@tools.ietf.org
>>>
>>> Hi Chris,
>>>
>>> Thanks for the review. See:
>>>   https://github.com/httpwg/http-extensions/commit/23d3b09374c077
>>> ...
>
>
> I'm not totally OK with all the edits, for instance we now have
> normative language in notes, and a lowercase "required" has sneaked in.
>
> Will review tomorrow.

OK, here we go. Below are the changes that IMHO need to be reviewed as 
they affect normative language:


> Section 2., paragraph 11:
> OLD:
>
>     Alt-Svc MAY occur in any HTTP response message, regardless of the
>     status code.  Note that recipients of Alt-Svc are free to ignore the
>     header field (and indeed need to in some situations; see Sections 2.1
>     and 6).
>
> NEW:
>
>     Alt-Svc MAY occur in any HTTP response message, regardless of the
>     status code.  Note that recipients of Alt-Svc MAY ignore the header
>     field (and are required to in some situations; see Sections 2.1 and
>     6).

This should be reverted; the actual requirements are in Sections 2.1 and 
6, and we should not have them in multiple places.

> Section 4., paragraph 2:
> OLD:
>
>     The ALTSVC frame is a non-critical extension to HTTP/2.  Endpoints
>     that do not support this frame can safely ignore it.
>
> NEW:
>
>     The ALTSVC frame is a non-critical extension to HTTP/2.  Endpoints
>     that do not support this frame MAY ignore it.

This is IMHO misleading as it is true for any unknown frame. It just 
follows from 
<http://greenbytes.de/tech/webdav/rfc7540.html#rfc.section.4.1>:

"Implementations MUST ignore and discard any frame that has a type that 
is unknown."

> Section 4., paragraph 13:
> OLD:
>
>     The ALTSVC frame is intended for receipt by clients; a server that
>     receives an ALTSVC frame can safely ignore it.
>
> NEW:
>
>     The ALTSVC frame is intended for receipt by clients.  A device acting
>     as a server MUST ignore it.

I'm ok with this one (but wanted to highlight the new normative 
requirement).

Best regards, Julian

Received on Thursday, 25 February 2016 12:44:56 UTC