MIME-Version: 1.0
In-Reply-To: <CAL0qLwbgjnt8Msofok3ExKBmChtQPfMEFgrrZBimEzU5CYgSjA@mail.gmail.com>
References: <CAL0qLwbgjnt8Msofok3ExKBmChtQPfMEFgrrZBimEzU5CYgSjA@mail.gmail.com>
Date: Fri, 15 Mar 2013 11:34:03 +0000
Message-ID: <CAKHUCzxfBtLTt3p3moGgEQx+p5kr=-e2Mn58xaqNvWFGiW=Lpw@mail.gmail.com>
From: Dave Cridland <dave@cridland.net>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Content-Type: multipart/alternative; boundary=e89a8fb1f8d022d7fe04d7f5047a
Cc: IETF Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] draft-kucherawy-rfc5451bis
Precedence: list

--e89a8fb1f8d022d7fe04d7f5047a
Content-Type: text/plain; charset=ISO-8859-1

On Thu, Mar 14, 2013 at 7:40 PM, Murray S. Kucherawy <superuser@gmail.com>wrote:

> I've uploaded an update to draft-kucherawy-rfc5451bis for review.  It
> incorporates the feedback I've received over the last few months since the
> last version.
>
> https://datatracker.ietf.org/doc/draft-kucherawy-rfc5451bis/
>
>
I've not seen this document before, nor its predecessor, so I'm casting a
fresh pair of eyes on it. This may result in my not having understood the
draft, but I'll pretend that's the draft's fault rather than it possibly
being my own idiocy.

For the most part, this document looks fine and solid.

Two items concern me in a major way; one further item has me mildly nervous.

First, the minor one:

The header includes definition of a version ABNF production optionally
following the authentication server's identity. It took me some time to
find the note of how to treat this; I didn't see any examples with it
present either.

Second, the first major one:

The examples tend to imply, for the most part, a canonical form to the
header, which places CFWS is only particular places. In particular, all the
examples are of the form auth-srv-id "; " method "=" result, with some
optional properties and/or reason, with one single exception (which
includes a comment in lieu of a reason). It's not immediately apparent to a
comparatively novice reader that the following header field is valid:

Authentication-Results: foo.example.net (My mailserver) / (I am number) 1
(You see) ; dkim (Because I like it) /2 (Two yay) = (wait for it) pass ;
policy (And a dot can go here) . (Like that) fruit (which surprised me) =
(because I was not expecting it) banana

I appreciate it's always nicer to only write pretty examples, but given the
specification, providing a nasty one is probably needed, lest people expect
to take a whitespace delimited token and split it on '='. For some reason I
particularly wasn't expecting the CFWS around the dot. (Maybe that's
because I'm out of practise with header parsing).

In any case, highlighting this with an example seems appropriate and useful.

Thirdly, one more major concern:

You'll note that I included a version for the method in my example above.
The definition for this, from the comments in the ABNF, suggests that this
relates to the version of RFC 5451 and successors used, but this seems
unlikely - I'm also at a loss as to what a receiving implementation should
do with such a method, since the handling of version seems to be specified
only for the version number after the auth-srv-id.

I have a vague suspicion that the correct thing to do here may be to
deprecate the method version entirely, but I might be missing something -
still, it doesn't appear to relate to the method, but the header field.

Dave.

--e89a8fb1f8d022d7fe04d7f5047a
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Thu, Mar 14, 2013 at 7:40 PM, Murray S. Kucherawy <span dir=3D"l=
tr">&lt;<a href=3D"mailto:superuser@gmail.com" target=3D"_blank">superuser@=
gmail.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div><div><div><div>I&#39;v=
e uploaded an update to draft-kucherawy-rfc5451bis for review.=A0 It incorp=
orates the feedback I&#39;ve received over the last few months since the la=
st version.<br>
<br><a href=3D"https://datatracker.ietf.org/doc/draft-kucherawy-rfc5451bis/=
" target=3D"_blank">https://datatracker.ietf.org/doc/draft-kucherawy-rfc545=
1bis/</a><br>
<br></div></div></div></div></div></blockquote><div><br></div><div style>I&=
#39;ve not seen this document before, nor its predecessor, so I&#39;m casti=
ng a fresh pair of eyes on it. This may result in my not having understood =
the draft, but I&#39;ll pretend that&#39;s the draft&#39;s fault rather tha=
n it possibly being my own idiocy.</div>
<div style><br></div><div style>For the most part, this document looks fine=
 and solid.</div><div style><br></div><div style>Two items concern me in a =
major way; one further item has me mildly nervous.</div><div style><br>
</div><div style>First, the minor one:</div><div style><br></div><div style=
>The header includes definition of a version ABNF production optionally fol=
lowing the authentication server&#39;s identity. It took me some time to fi=
nd the note of how to treat this; I didn&#39;t see any examples with it pre=
sent either.</div>
<div style><br></div><div style>Second, the first major one:</div><div styl=
e><br></div><div style>The examples tend to imply, for the most part, a can=
onical form to the header, which places CFWS is only particular places. In =
particular, all the examples are of the form auth-srv-id &quot;; &quot; met=
hod &quot;=3D&quot; result, with some optional properties and/or reason, wi=
th one single exception (which includes a comment in lieu of a reason). It&=
#39;s not immediately apparent to a comparatively novice reader that the fo=
llowing header field is valid:</div>
<div style><br></div><div style>Authentication-Results: <a href=3D"http://f=
oo.example.net">foo.example.net</a> (My mailserver) / (I am number) 1 (You =
see) ; dkim (Because I like it) /2 (Two yay) =3D (wait for it) pass ; polic=
y (And a dot can go here) . (Like that) fruit (which surprised me) =3D (bec=
ause I was not expecting it) banana</div>
<div style><br></div><div style>I appreciate it&#39;s always nicer to only =
write pretty examples, but given the specification, providing a nasty one i=
s probably needed, lest people expect to take a whitespace delimited token =
and split it on &#39;=3D&#39;. For some reason I particularly wasn&#39;t ex=
pecting the CFWS around the dot. (Maybe that&#39;s because I&#39;m out of p=
ractise with header parsing).</div>
<div style><br></div><div style>In any case, highlighting this with an exam=
ple seems appropriate and useful.</div><div style><br></div><div style>Thir=
dly, one more major concern:</div><div style><br></div><div style>You&#39;l=
l note that I included a version for the method in my example above. The de=
finition for this, from the comments in the ABNF, suggests that this relate=
s to the version of RFC 5451 and successors used, but this seems unlikely -=
 I&#39;m also at a loss as to what a receiving implementation should do wit=
h such a method, since the handling of version seems to be specified only f=
or the version number after the auth-srv-id.</div>
<div style><br></div><div style>I have a vague suspicion that the correct t=
hing to do here may be to deprecate the method version entirely, but I migh=
t be missing something - still, it doesn&#39;t appear to relate to the meth=
od, but the header field.</div>
<div style><br></div><div style>Dave.</div></div></div></div>

--e89a8fb1f8d022d7fe04d7f5047a--