[apps-discuss] APPSDIR review of draft-ietf-httpbis-p2-semantics-24

S Moonesamy <sm+ietf@elandsys.com> Mon, 28 October 2013 08:08 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2904221F9F40; Mon, 28 Oct 2013 01:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.235
X-Spam-Level:
X-Spam-Status: No, score=-102.235 tagged_above=-999 required=5 tests=[AWL=0.364, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpcZ1rZvTNQF; Mon, 28 Oct 2013 01:08:25 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id B965C11E8151; Mon, 28 Oct 2013 01:08:23 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([197.224.154.55]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r9S8879B021796 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Oct 2013 01:08:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1382947700; bh=brm049+R5VV06af1eqFZ9hamPFoFEA6dnx7Q7QmH8ss=; h=Date:To:From:Subject:Cc; b=Va4BOaKL5W/mkUcnX/Dw4Su0UnEQ1j1DAsu+vGR9vXuVY5R8Z27D1QeH/i4v3GSAW X2KVv+hykMFBj6nsWCrrLsOsyFC2WF4U4clk9s/eBMa7L/4wxpblRNYbBmLg6Ue++u dPgEG34HBnMDLbXRTE8xIUsI0IGOpPR0RuqFTge0=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1382947700; i=@elandsys.com; bh=brm049+R5VV06af1eqFZ9hamPFoFEA6dnx7Q7QmH8ss=; h=Date:To:From:Subject:Cc; b=aE/7bY1UE+i/v732xpJnwchDiIUUNR/PgUs6O5nNxqn4Rw9uf3H0XZCW/R9A8Qe1/ BJ0d5I5DBXCRAJVEcYb1apsQdgjDY4EpA56nIugauEqwICLKd74An3fH4rI5SYbj+s wgba1w8QA7W7B+DdnK8myep64IBSSD0Blj8pXwkQ=
Message-Id: <6.2.5.6.2.20131027115007.07e32210@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 28 Oct 2013 01:07:31 -0700
To: apps-discuss@ietf.org, draft-ietf-httpbis-p2-semantics.all@tools.ietf.org
From: S Moonesamy <sm+ietf@elandsys.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: iesg@ietf.org, ietf-http-wg@w3.org, ietf@ietf.org
Subject: [apps-discuss] APPSDIR review of draft-ietf-httpbis-p2-semantics-24
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Oct 2013 08:08:26 -0000

I have been selected as the Applications Area Directorate reviewer 
for this draft (for background on APPSDIR, please see 
http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate ).

Please resolve these comments along with any other Last Call comments 
you may receive. Please wait for direction from your document 
shepherd or AD before posting a new version of the draft.

Document: draft-ietf-httpbis-p2-semantics-24
Title: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
Reviewer: S. Moonesamy
Review Date: October 28, 2013
IETF Last Call Date: October 21, 2013

Summary: This draft is almost ready for publication as a Proposed Standard.

This document defines the semantics of HTTP/1.1 messages, as 
expressed by request methods, request header fields, response status 
codes, and response header fields, along with the payload of messages 
(metadata and body content) and mechanisms for content negotiation.

The draft is well-written and clear.

Major Issues:

In Section 3.1.1.5:

   'If a Content-Type header field is not present, the recipient MAY
    either assume a media type of "application/octet-stream" ([RFC2046],
    Section 4.5.1) or examine the data to determine its type.'

According to RFC 2046, the "octet-stream" subtype is used to indicate 
that a body contains arbitrary data.  The RFC 2119 "may" leaves it to 
the implementor to make an assumption.  I suggest turning this into a 
recommendation so that the assumption is clear to the 
implementor.  There is a discussion of MIME sniffing in 
draft-ietf-websec-mime-sniff-03.  There has been discussion about 
MIME or Content sniffing over the years.  I am aware that some 
browsers do MIME sniffing.  I understand that it is sometimes needed 
to make the Web work.  However, it can lead to security 
vulnerabilities.  The paragraph which follows the one quoted above 
discusses about that.  I listed this as a major issue for the 
attention of the Applications Area Directors.

Minor Issues:

In Section 5.5.1:

   'The "From" header field contains an Internet email address for a
    human user who controls the requesting user agent.  The address ought
    to be machine-usable, as defined by "mailbox" in Section 3.4 of
    [RFC5322]:'

The above text is similar to text which was in RFC 2068 and RFC 
2616.  The "mailbox" may also contain a display name whereas the 
"addr-spec" (see Section 3.4.1) is an Internet mail address.  I 
listed this issue as minor to flag it for the attention of the 
HTTPbis Working Group.

In Section 5.5.3:

   "a sender MUST NOT generate advertising or other non-essential information
    within the product identifier"

I suggest having the text as guidance together with an explanation 
instead of a RFC 2119 prohibition.

In Section 7.1.1:

   "The preferred format is a fixed-length and single-zone subset of
    the date and time specification used by the Internet Message Format
    [RFC5322]"

The ABNF imports obs-date from RFC 5322.  "GMT" is defined in 
"obs-zone" (see RFC 5322).  There is the following in the section:

   "For example, messages are occasionally forwarded over HTTP from a
    non-HTTP source that might generate any of the date and time
    specifications defined by the Internet Message Format."

I listed this as a minor issue.  I am not suggesting any change as 
"GMT" is used in other header fields.  I'll defer to the HTTPbis 
Working Group as to whether there should be a note about "GMT" with 
an explanation that although "GMT" is deprecated the use is widespread.

Section 8.1 defines a HTTP Method Registry where registration 
requires IETF Review.  I took a quick look at Issue #364.  Section 
4.2 discusses about common method properties, e.g. cacheable.  The 
fields in Section 8.1.1 does not include cacheable.

There are considerations for new methods in Section 8.1.2.  I gather 
that the working group understands that someone will have to review 
the specification and raise an issue if the considerations are not followed.

The table in Section 8.1.3 only mentions the section number.  There 
is an assumption that the specification text is in this draft.  I 
suggest also adding a reference for the RFC number.  As a note for 
the reader, draft-ietf-httpbis-method-registrations-13 also registers 
some HTTP methods.

The above assumption also applies to Section 8.2.  I suggest updating 
the existing registrations at 
http://www.iana.org/assignments/http-status-codes/ so that the
HTTP Status Code Registry is compliant with Section 8.2.1.

Nits:

In Section 5.5.2:

  "Referer allows servers to generate back-links to other resources for"

  "information disclosure in Referer ought to restrict their changes to"

I'll defer to the editors as to whether to add "header field".

I suggest changing the RFC 1305 reference in Section 7.1.1.1 to RFC 5905.

In Section 8.3.1:

   'Authors of specifications defining new fields are advised to keep the
    name as short as practical and to not prefix the name with "X-"
    unless the header field will never be used on the Internet.'

I suggest adding a reference to BCP 178.

Regards,
S. Moonesamy