IETF Logo Mail Archive

Re: [art] [saag] Date formats: RFC3339 vs. RFC 5322

Benjamin Kaduk <kaduk@mit.edu> Wed, 14 April 2021 23:55 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF4A03A2539; Wed, 14 Apr 2021 16:55:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k_bIKUH474dY; Wed, 14 Apr 2021 16:55:10 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BE3F3A2533; Wed, 14 Apr 2021 16:55:09 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 13ENswHe001894 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Apr 2021 19:55:03 -0400
Date: Wed, 14 Apr 2021 16:54:57 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Nico Williams <nico@cryptonector.com>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, art@ietf.org, saag@ietf.org
Message-ID: <20210414235457.GY79563@kduck.mit.edu>
References: <CAAyEnSMBdXCA0EvgR79P_1gi15pAPfeyu_HgGqgMjWxRP8sxKg@mail.gmail.com> <901F4345-91B6-42CA-9F68-27DB4C539F3D@vpnc.org> <20210413200101.GL9612@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20210413200101.GL9612@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/xx8DOca0WupMqVoSS6D-FxxQFFo>
Subject: Re: [art] [saag] Date formats: RFC3339 vs. RFC 5322
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 23:55:13 -0000

On Tue, Apr 13, 2021 at 03:01:02PM -0500, Nico Williams wrote:
> On Tue, Apr 13, 2021 at 12:30:21PM -0700, Paul Hoffman wrote:
> > Given that the date in that section of that draft is meant to be machine
> > parsed, choosing RFC 5322 (neé 822) date formats is a particularly bad idea,
> > given the existence of RFC 3339.
> 
> I mean, strptime() can handle both, and since everything is written in C
> (which is why we so badly need security.txt!), that's enough.  But yes,
> ISO 8601 is much easier to parse.  And it will be even easier to compare
> dates if security.txt ends up using Zulu time, since then plain string
> comparison (even memcmp()!) is enough.
> 
> Thinking about implementation... I suddenly wonder why security.txt
> should have expiration instead of a TTL.  I'm pretty sure what's really
> intended is that I not cache security.txt files too long so that they
> can be updated.  Indeed, sections 3.5.5 and 6.3 make it clear that this
> is about caching.
> 
> An optional publication time (ISO 8601), and a required TTL measured in
> hours or days would be more than sufficient, and maybe superior to a
> notAfter.  Unless the point of `Expires` is also to force the publisher
> to keep security.txt up to date.

Yes, that.
We got a lot of LC feedback that (okay, I might be exaggerating for effect)
the future Internet would be littered with piles of stale security.txt
files to the extent that the mechanism would be rendered useless due to the
expectation of stale content.  Adding "Expires" serves as something of a
"dead-man's switch" that lets stale content age out relatively gracefully.

> Implementation-wise, I see a few ways in which I would handle `Expires`
> information:
> 
> 1) Comparison.  E.g., to determine if a security.txt is stale, or to
>    sort/index/search archived security.txt files, in which case I'd have
>    two choices:
> 
>    1a) if the format is ISO 8601 zulu, then format current time then
>        string compare,
>    1b) parse the `Expires` into local time of day form and compare to
>        current time.
> 
>    (1a) is simpler, but only works for ISO 8601 Zulu times.
> 
> 3) Authoring/production of security.txt files, where I only need to
>    format time, not parse it.
> 
> Clearly it's easier to only have to format time and never have to parse
> it.
> 
> That said, strptime() and similar are widely available and easy enough
> to use, so I do think there's an readability argument to make.  But ISO
> 8601 is still easier to read than RFC 5322 time, especially for
> non-English speakers.

And I think the authors have a clear answer for what to do here.

Thanks to everyone for the feedback.

-Ben

v2.23.0 | Report a Bug | By Email