Re: Ben Campbell's Yes on draft-ietf-httpbis-expect-ct-07: (with COMMENT) from Ben Campbell on 2018-09-12 (ietf-http-wg@w3.org from July to September 2018)

From: Ben Campbell <ben@nostrum.com>
Date: Wed, 12 Sep 2018 11:06:56 -0500
To: Mark Nottingham <mnot@mnot.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-expect-ct@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <054ABDF3-83EF-46B3-ADC2-B9EF6A9D920C@nostrum.com>

Hi Mark,

Just one comment-question :-)

> On Sep 12, 2018, at 11:03 AM, Mark Nottingham <mnot@mnot.net> wrote:
> 
> Hi Ben,
> 
> Just one comment -
> 
>> On 11 Sep 2018, at 7:13 pm, Ben Campbell <ben@nostrum.com> wrote:
>> 
>> Ben Campbell has entered the following ballot position for
>> draft-ietf-httpbis-expect-ct-07: Yes
>> 
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>> 
>> 
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> Thanks for this work. I'm balloting "Yes", but I have a few minor comments.
>> 
>> Substantive:
>> 
>> §2.1, step 6: Is there no room for local policy here?
>> 
>> §2.1.3: The guidance for max-age in the security considerations section
>> suggests 30 days is a good value. But the directive is specified in seconds.
>> Does that make sense? Would a 1 second max-age ever be reasonable? Or even 30
>> days + 1 second?
> 
> Pretty much everything in HTTP is done at second granularity; deviating from that would be odd IMO.

I certainly don’t have all the HTTP uses of time intervals loaded in my head--are time intervals on the order of “1 month” commonly used elsewhere?

Ben.

> 
> Cheers,
> 
>> 
>> Editorial:
>> 
>> - General: This uses a non-standard section order towards the end.
>> Conventionally the last 2 sections should be security considerations and IANA
>> considerations (although the order between those two varies.)
>> 
>> §2.2.2: The second sentence is about UA behavior. It seems like that belongs
>> somewhere under §2.3.
>> 
>> §2.3: "SHALL be canonicalized"
>> By the UA?  (The use of passive voice here obscures the actor.)
>> 
>> 
> 
> --
> Mark Nottingham   https://www.mnot.net/
>

Received on Wednesday, 12 September 2018 16:38:19 UTC