RE: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt from Julian Reschke on 2003-03-18 (w3c-dist-auth@w3.org from January to March 2003)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 18 Mar 2003 13:51:43 +0100
To: <w3c-dist-auth@w3.org>
Message-ID: <JIEGINCHMLABHJBIGKBCCEMGGMAA.julian.reschke@gmx.de>
Here's a set of both -bis03 and generic RFC2518 comments:

Content:

03-C01

Paragraph 1: “A DTD is provided…” -> “An informational DTD is provided…”


03-C02

4.4: “…or when they may be shown to a human user and hence require encoding
in…”

I’m not sure what the requirement “may be shown to a human user” is supposed
to mean here. Proposal: just write:

“…or when they require encoding in…”


03-C03

4.4: “Note that the use of a new top-level URI identifier as a namespace is
considered by many to be a bad thing…”

Rewrite as:

“Note that both defining a new URI scheme just for the purpose of
identifying protocol elements, and using just the scheme name as a namespace
name is to be considered a bad practice, and should not be copied”.


03-C04

4.5: “The value of a property when expressed in XML MUST be well formed.”

The value of a property always is expressed in XML (or more precisely: an
XML fragment). XML by definition is well-formed.


03-C05

4.5: “The value of a property appears inside the property name element.  The
value may be any text, including valid XML.  When the value is  structured
as XML, namespaces that are in scope for that part of the  XML document
apply within the property value as well, and MUST be  preserved in server
storage for retransmission later. Namespace prefixes need not be preserved
due to the rules of prefix declaration in XML.”

1)	I think this needs to rephrased to use proper XML terminology, also
2)	I think that namespace prefixes within the property value do need to be
round.tripped.

Proposal:

“The value of a property appears inside the property name element and may be
any kind of well-formed XML content, including both text-only and mixed
content. When the property value contains further XML elements, namespaces
and namespace prefixes that are in scope for that part of the XML document
apply within the property value as well, and MUST be preserved in server
storage for retransmission later.”


03-C06:

6.3: “A lock token is returned by every successful LOCK operation in the
lockdiscovery property in the response body, and can also be found through
lock discovery on a  resource. Each lock has only one unique lock token.”

Change to:

“A lock token is returned by every successful LOCK operation in the
lock-token header, and can also be found through lock discovery on a
resource. Each lock has exactly one unique lock token.”


03-C07:

6.4: “All resources MUST recognize the opaquelocktoken scheme and, at
minimum, recognize that the lock token does not refer to an outstanding lock
on the resource.”

(old text) I think this is misleading. Any resource must recognize any valid
URI. If a URI uses a scheme it doesn’t know of, this simply means it doesn’t
identify any particular lock assigned by this server. So I’d recommend to
get rid of this sentence, and possibly add a clarification to 6.3 instead.


03-C08:

7.4: “However, interoperability and compliance problems have been found with
lock-null resources.  Therefore, they are deprecated.  WebDAV servers
compliant with this document SHOULD create regular locked empty resources,
which behave in every way as if they were a normal resource.”

This sort of suggests that lock-null resources indeed are still something
different than a normal resource, which isn’t true.


03-C09:

7.4: “Can be downloaded, deleted, moved, copied, and in all ways behave as a
regular resource, not a lock-null resource.”

I think the term “downloaded” is misleading here. From a WebDAV protocol
p.o.v., it probably should be “read”.


03-C10:

7.4.: “SHOULD default to a content-type of "application/octet-stream". “

No. I don’t think there’s consensus for that, and requiring a specific
content type seems to have no value at all to clients (see also 8.11,
“Locking Unmapped URLs”).


03-C11:

7.8: “If an error is received in response to a refresh LOCK request the
client SHOULD assume that the lock was not refreshed.”

I think we should make that a “MUST”.


03-C12:

8.1.1.: “Some of the following new HTTP methods use XML as a request and
response format.  All DAV compliant clients and resources MUST use  XML
parsers that are compliant with [REC-XML].”

Add “…and [REC-XMLNS]”.

We also need allow servers and clients to rejects a certain set of
request/response that are indeed well-formed, in particular:

-	when it exceeds some predefined size or
-	when expansion of internal entities may cause a denial of service.

03-C13:

8.1.2: “Some of these new methods do not define bodies.  Servers MUST
examine all requests for a body, even when a body was not expected.  In
cases where a request body is present but would be ignored by a  server, the
server MUST reject the request with 415 (Unsupported  Media Type).  This
informs the client (which may have been attempting to use an extension) that
the body could not be processed as they intended.”

I’d like to understand whether this affects methods other than MKCOL.


03-C14:

8.1.3: “When the Location header is used in a response, it is used by the
server to indicate the preferred address for the target resource of  the
request.  Whenever the server has a preferred address, it should  use that
address consistently.  This means that when a response contains a Location
header, all the URLs in the response body (e.g. a Multi-Status) should be
consistent.”

If we keep this paragraph, we’ll have to define what “consistent” means
here.


03-C15:

8.1.4.: “Note that HTTP 1.1 requires the Date header in all responses.”

That’s not true. HTTP 1.1 specifically supports clockless servers.


03-C16:

8.1.5: “If ETags are supported for a resource, the server MUST return the
ETag header in all PUT and GET responses to that resource, as well as
provide the same value for the 'getetag'  property.”

Note that this breaks the “etag promotion” strategy used both by IIS and
Moddav (PUT usually returns weak etags which later are promoted to strong
etags when there was no other change to that resource within a specific time
window). Therefore I’d make that a SHOULD (at least for PUT).


03-C17:

8.1.5.: “Because clients may be forced to prompt users or throw away changed
content if the ETag changes, a WebDAV server MUST not change the  ETag (or
getlastmodified value) for a resource when only its property values change.”

Some servers do, and I don’t think we can change that. Therefore I think
this change at least needs explicit consensus on the mailing list.


03-C18:

8.1.6: “HTTP and WebDAV did not use the bodies of most error responses until
DeltaV introduced a mechanism to include more specific information in the
body of an error response (section 1.6 of [RFC3253]).”

That’s not really true. HTTP indeed recommends to send error descriptions in
the response bodies as well.


03-C19:

General comment re: 8.1.6: I really like that change (actually, I like it so
much that I’d like to have condition names for all frequently signalled
problems….). However, if it uses the same format as RFC3253, it should be
consistent with it. In particular, the names should identify conditions that
must be met. For instance, use “allow-external-entities” rather than
“forbid-internal-entities”. We may also want to note that one DAV:error
element can hold multiple elements identifying failed conditions.


03-C20:

8.2.: “DAV compliant servers MUST support the "0", "1" and "infinity"
behaviors.”

Change to:

“DAV compliant servers MUST support the "0" and "1" behaviors and MAY
support the "infinity" behavior.”


03-C21:

8.2.: “Note that ‘allprop’ does not return values for all properties.”

Change to:

“Note that ‘allprop’ does not return values for all live properties.”



03-C22:

8.2: “URLs for collections appearing in the results MUST end  in a slash
character.”

I don’t think we have consensus for this being a MUST.


03-C23:

8.2: “Note that URLs and URIs in XML must always be fully legal URIs. For
example, it is illegal to use a space character or double-quote in a  URI
[RFC2396].  URL-escaping is commonly used (e.g. replace a space with a
sequence such as %20). The URI must not appear in XML "unescaped", it must
be in its legal URI format.”

This is misleading. Of course URIs must conform to the URI syntax – that’s
the whole point, right? In particular, there’s no such thing as a “unescaped
form” of a URI. URIs do not allow the space character, and therefore a URI
never ever contains a space character.

What we should say here is how servers should behave when their internal
implementation model of collections allow member names that aren’t legal URL
path segments (answer: encode as UTF-8 octet stream, then URI-escape).


03-C24:

8.2.2: “This example also demonstrates the use of XML namespace scoping, and
the default namespace.  Since the "xmlns" attribute does not contain  an
explicit "shorthand name" (prefix) letter, the namespace applies by default
to all enclosed elements.  Hence, all elements which do not explicitly state
the namespace to which they belong are members  of the "DAV:" namespace
schema.”

Change to:

“This example also demonstrates the use of XML namespace scoping, and  the
default namespace.  Since the "xmlns" attribute does not contain a prefix,
the namespace applies by default to all non-prefixed enclosed elements.
Hence, all elements which do not explicitly state the namespace to which
they belong are members  of the "DAV:" namespace.”

(Actually I’d rather prefer to get rid of this. RFC2518bis shouldn’t try to
give XML lessons).


03-C25:

8.7: “If the DELETE method is issued to a non-collection resource whose
URIs are an internal member of one or more collections, then during  DELETE
processing a server MUST remove any URI for the resource identified by the
Request-URI from collections which contain it as a member.”

I think we want to get rid of this statement. Does anybody implement this
right now?


03-C26:

8.11: “The LOCK request may have a Timeout  header.”

“may” -> “MAY”.


03-C27:

8.11, “Interaction with other Methods”: “However, independent of lock type,
a successful DELETE  of a resource MUST cause all of its locks to be
removed.”

(old text) I think this is misleading. A DELETE on a resource only removes
those locks that aren’t inherited.


03-C28:

8.12: “A successful response to an UNLOCK method does not mean that the
resource is unlocked.  At most, it means that the specified token no longer
identifies a lock on the resource.”

Change to:

“A successful response to an UNLOCK method does not mean that the resource
is unlocked.  At most, it means that the specified token no  longer
identifies a lock on any resource.”


03-C29:

9.1 (DAV header) allows coded URLs in the DAV header. I’d like to see the
rationale for that.


03-C30:

9.4 (force-authenticate): is this the consensus we reached in January?
Ilyas, did you take notes?


03-C31:

9.5 defines “<no-lock>” as a new special state token. I think this is
unneeded – any URI which is known not to identify a lock MUST work as well,
so we can simply recommend using something like “<DAV:no-lock>” (which is
something that RFC2518-compliant servers already support).


03-C32:

(old text) The example in 9.5.2 uses an invalid lock token (the URI scheme
“locktoken” isn’t IETF-registered, so it can’t claim conformance to the
uniqueness requirements). Just use a sample token using the
 “opaquelocktoken” scheme instead).


03-C33:

9.5.5: “The not production is used to reverse that value.”

Change to:

“The ‘Not’ production is used to reverse that value.”


03-C34:

Section 13: XML element definitions

I don’t like the syntax change in the DTDs. For instance, activelock now is
defined as:

   <!ELEMENT activelock ANY>
   ANY value: Any number of elements, including one of each of
   (lockscope, locktype, depth, owner, timeout, locktoken, lockroot)

It used to be:

   <!ELEMENT activelock (lockscope, locktype, depth, owner?, timeout?,
   locktoken?) >

For consistency with RFC2518, RFC3253 and the ACL spec we really should stay
with the old notation.


03-C35:

Section 17: “which has explicit provisions for character set tagging and
encoding, and requires that XML processors read XML elements encoded, at
minimum, using the UTF-8 [UTF-8] encoding of the ISO  10646 multilingual
plane.”

Unless we get rid of this section, we’ll have to add UTF-16.


03-C36:

Section 17: “Names used within this specification fall into three
categories:  names of protocol elements such as methods and headers, names
of XML elements, and names of properties.”

We may want to add a new category (condition names).





Editorial notes:


03-E01

Expiry date is wrong.


03-E02

IETF wants a maximum of 5 authors.


03-E03

Paragraph 1: “marshall”  -> “marshal”


03-E04

There are many places where example URLs do not use the set of example host
names allowed by the IETF.


03-E05

8.1.5 uses the term “etag”. HTTP uses “etag” only as header names, and talks
about “entity tags” everywhere else. So should we.


03-E06

8.2.2 uses the term “progeny”, which I haven’t seen before in this context.
Maybe replace by something more common, such as “members”.


03-E07:

8.2.2. still uses concatenation of namespace names and element names to
identify property names.






--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760
Received on Tuesday, 18 March 2003 07:51:51 UTC