Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-httpbis-digest-headers-13> for your review
rfc-editor@rfc-editor.org Sat, 02 December 2023 06:21 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9575CC14F616; Fri, 1 Dec 2023 22:21:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.658
X-Spam-Level:
X-Spam-Status: No, score=-6.658 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CTE_8BIT_MISMATCH=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LKANHVePed0Q; Fri, 1 Dec 2023 22:21:03 -0800 (PST)
Received: from rfcpa.amsl.com (rfcpa.amsl.com [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45F36C14F615; Fri, 1 Dec 2023 22:21:03 -0800 (PST)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 2883A19E2DF0; Fri, 1 Dec 2023 22:21:03 -0800 (PST)
To: robipolli@gmail.com, lucaspardue.24.7@gmail.com
From: rfc-editor@rfc-editor.org
Cc: rfc-editor@rfc-editor.org, httpbis-ads@ietf.org, httpbis-chairs@ietf.org, mnot@mnot.net, superuser@gmail.com, auth48archive@rfc-editor.org
Content-type: text/plain; charset="UTF-8"
Message-Id: <20231202062103.2883A19E2DF0@rfcpa.amsl.com>
Date: Fri, 01 Dec 2023 22:21:03 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/zhdaZUWSqefqOD8INd7Ped2q2fQ>
Subject: Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-httpbis-digest-headers-13> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Dec 2023 06:21:07 -0000
Authors, While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file. 1) <!-- [rfced] We have updated the following sentence for readability. Please let us know if you prefer otherwise. Original: It also coined the term "instance" and "instance manipulation" in order to explain concepts that are now more universally defined, and implemented, as HTTP semantics such as selected representation data (Section 8.1 of [HTTP]). Current: It also coined the terms "instance" and "instance manipulation" in order to explain concepts, such as selected representation data (Section 8.1 of [HTTP]), that are now more universally defined and implemented as HTTP semantics. --> 2) <!-- [rfced] May this be rephrased as follows for readability and to reduce the usage of "of"? Original: The term "checksum" describes the output of the application of an algorithm to a sequence of bytes, whereas "digest" is only used in relation to the value contained in the fields. Perhaps: The term "checksum" describes the output of applying an algorithm to a sequence of bytes, whereas "digest" is only used in relation to the value contained in the fields. --> 3) <!-- [rfced] May we format these terms as follows to be similar to how the terms appear earlier within Section 1.4? Original: Integrity fields: collective term for Content-Digest and Repr-Digest Integrity preference fields: collective term for Want-Repr-Digest and Want-Content-Digest Perhaps: "Integrity fields" is the collective term for Content-Digest and Repr-Digest. "Integrity preference fields" is the collective term for Want-Repr-Digest and Want-Content-Digest. --> 4) <!--[rfced] May we move this note outside of the sourcecode elements? Also, may we update to one note that applies to all the wrapped lines (as follows), or do you prefer to keep the 18 instances of the note? Current (18 instances): NOTE: '\' line wrapping per RFC 8792 Suggested: NOTE: Throughout this document, '\' line wrapping is per [RFC8792]. --> 5) <!--[rfced] For clarity, may the final phrase be moved as follows? Original: Want-Content-Digest indicates that the sender would like to receive a content digest on messages associated with the request URI and representation metadata, using the Content-Digest field. Want-Repr-Digest indicates that the sender would like to receive a representation digest on messages associated with the request URI and representation metadata, using the Repr-Digest field. Perhaps: Want-Content-Digest indicates that the sender would like to receive (via the Content-Digest field) a content digest on messages associated with the request URI and representation metadata. Want-Repr-Digest indicates that the sender would like to receive (via the Repr-Digest field) a representation digest on messages associated with the request URI and representation metadata. --> 6) <!-- [rfced] May this be rephrased as follows to improve readability? Original: For adversarial situations, selecting which of the "Active" algorithms are acceptable will depend on the level of protection the circumstances demand. Perhaps: For adversarial situations, selection of the acceptable "Active" algorithms will depend on the level of protection the circumstances demand. --> 7) <!-- [rfced] Please clarify; is the intended meaning "help some applications avoid undue operational overhead"? If so, we suggest rephrasing as follows. Original: Permitting the use of these algorithms can help some applications, for example, those that previously used [RFC3230], are migrating to this specification (Appendix E), and have existing stored collections of computed digest values avoid undue operational overhead caused by recomputation using other more-secure algorithms. Option A: Permitting the use of these algorithms can help some applications (such as those that previously used [RFC3230], are migrating to this specification (Appendix E), and have existing stored collections of computed digest values) avoid undue operational overhead caused by recomputation using other more-secure algorithms. Option B: Permitting the use of these algorithms can help some applications -- specifically those applications that previously used [RFC3230], are migrating to this specification (Appendix E), and have existing stored collections of computed digest values -- avoid undue operational overhead caused by recomputation using other more-secure algorithms. --> 8) <!-- [rfced] Please clarify "can remove or recalculate and substitute". If substitution can happen after either removal or recalculation, we suggest adding 'then' as follows. Original: In the absence of additional security mechanisms, an on-path, malicious actor can remove or recalculate and substitute a digest value. Perhaps: In the absence of additional security mechanisms, an on-path, malicious actor can remove or recalculate and then substitute a digest value. --> 9) <!--[rfced] May this be rephrased for conciseness, or is the word "manipulation" needed? Original: In the scenario where there is no content to send, the digest of an empty string can be included in the message and, if signed, can help the recipient detect if content was added either as a result of accident or purposeful manipulation. Perhaps: In the scenario where there is no content to send, the digest of an empty string can be included in the message and, if signed, can help the recipient detect if content was added accidentally or purposely. --> 10) <!-- [rfced] References a) For [UNIX], would you like the title and publication date to be updated to match how it appears in this file: <https://unix.org/version2/u98paper.pdf>? Or do you prefer to leave the reference as is, similar to how it appears in RFC 3230? Original: [UNIX] The Open Group, "The Single UNIX Specification, Version 2 - 6 Vol Set for UNIX 98", February 1997. Perhaps: [UNIX] The Open Group, "The Single UNIX® Specification, Version 2 and UNIX 98", January 1998. b) The following reference has a Warning Notice stating that the publication has been "withdrawn (archived)". Please let us know if any updates are needed. Original: [NIST800-32] National Institute of Standards and Technology, U.S. Department of Commerce, "Introduction to Public Key Technology and the Federal PKI Infrastructure", February 2001, <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-32.pdf>. c) RFC 7807 has been obsoleted by RFC 9457. May we replace RFC 7807 with RFC 9457 in this document? --> 11) <!-- [rfced] Please clarify "the first 10" here. Original: The server satisfies the client request by responding with a partial representation (equivalent to the first 10 of the JSON object displayed in whole in Figure 2). Perhaps: The server satisfies the client request by responding with a partial representation (equivalent to the first 10 bytes of the JSON object displayed in whole in Figure 2). --> 12) <!-- [rfced] May "bytes CRLF" be updated to "CRLF bytes"? Original: In the response content below, the string "\r\n" represent the bytes CRLF. Perhaps: In the response content below, the string "\r\n" represents the CRLF bytes. --> 13) <!-- [rfced] For the list of digest values in Appendix D, would you prefer to format it as a definition list rather than a sourcecode element? If you do, placing the line break would not be necessary. --> 14) <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. Note that our script did not flag any words in particular, but this should still be reviewed as a best practice. --> 15) <!-- [rfced] FYI - We have added expansions for abbreviations upon first use per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each expansion in the document carefully to ensure correctness. --> 16) <!-- [rfced] Terminology a) The following term appears inconsistently in this document. If there are no objections, we will update to the form on the right. Range Request(s) vs. range request(s) b) Regarding "gzip" vs. "GZIP", both forms are used in this document; may all caps be used when it appears outside a header field? Specifically, may we update (4 instances) to all caps as follows? the same data with a GZIP coding ... Figure 2: Request Containing a GZIP-Encoded JSON Object Sending the GZIP-coded data without ... Figure 6: Partial Response from a GZIP-Encoded Representation c) This term appears as Content-Encoding (with hyphen) for the header field. Should the title of Section 6.5 be updated? Current: 6.5. Variations within Content Encoding Perhaps: 6.5. Variations within Content-Encoding ("Merkle Integrity Content Encoding" will remain as is because it matches the title of the referenced Internet-Draft.) d) Do the following terms mean the same thing? If so, would you like to choose one form to use throughout the document for consistency? Repr-Digest field vs. Repr-Digest HTTP field hash algorithm vs. hashing algorithm e) The following terms use <tt> tags inconsistently throughout the document. Please review the usage of <tt> and let us know if any updates are needed. Byte Sequence Content-Digest Dictionary Digest (field) PATCH (when referring to PATCH requests) Repr-Digest Want-Digest Want-Repr-Digest --> Thank you. RFC Editor/mc/ar On Dec 1, 2023, rfc-editor@rfc-editor.org wrote: *****IMPORTANT***** Updated 2023/12/01 RFC Author(s): -------------- Instructions for Completing AUTH48 Your document has now entered AUTH48. Once it has been reviewed and approved by you and all coauthors, it will be published as an RFC. If an author is no longer available, there are several remedies available as listed in the FAQ (https://www.rfc-editor.org/faq/). You and you coauthors are responsible for engaging other parties (e.g., Contributors or Working Group) as necessary before providing your approval. Planning your review --------------------- Please review the following aspects of your document: * RFC Editor questions Please review and resolve any questions raised by the RFC Editor that have been included in the XML file as comments marked as follows: <!-- [rfced] ... --> These questions will also be sent in a subsequent email. * Changes submitted by coauthors Please ensure that you review any changes submitted by your coauthors. We assume that if you do not speak up that you agree to changes submitted by your coauthors. * Content Please review the full content of the document, as this cannot change once the RFC is published. Please pay particular attention to: - IANA considerations updates (if applicable) - contact information - references * Copyright notices and legends Please review the copyright notice and legends as defined in RFC 5378 and the Trust Legal Provisions (TLP – https://trustee.ietf.org/license-info/). * Semantic markup Please review the markup in the XML file to ensure that elements of content are correctly tagged. For example, ensure that <sourcecode> and <artwork> are set correctly. See details at <https://authors.ietf.org/rfcxml-vocabulary>. * Formatted output Please review the PDF, HTML, and TXT files to ensure that the formatted output, as generated from the markup in the XML file, is reasonable. Please note that the TXT will have formatting limitations compared to the PDF and HTML. Submitting changes ------------------ To submit changes, please reply to this email using ‘REPLY ALL’ as all the parties CCed on this message need to see your changes. The parties include: * your coauthors * rfc-editor@rfc-editor.org (the RPC team) * other document participants, depending on the stream (e.g., IETF Stream participants are your working group chairs, the responsible ADs, and the document shepherd). * auth48archive@rfc-editor.org, which is a new archival mailing list to preserve AUTH48 conversations; it is not an active discussion list: * More info: https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc * The archive itself: https://mailarchive.ietf.org/arch/browse/auth48archive/ * Note: If only absolutely necessary, you may temporarily opt out of the archiving of messages (e.g., to discuss a sensitive matter). If needed, please add a note at the top of the message that you have dropped the address. When the discussion is concluded, auth48archive@rfc-editor.org will be re-added to the CC list and its addition will be noted at the top of the message. You may submit your changes in one of two ways: An update to the provided XML file — OR — An explicit list of changes in this format Section # (or indicate Global) OLD: old text NEW: new text You do not need to reply with both an updated XML file and an explicit list of changes, as either form is sufficient. We will ask a stream manager to review and approve any changes that seem beyond editorial in nature, e.g., addition of new text, deletion of text, and technical changes. Information about stream managers can be found in the FAQ. Editorial changes do not require approval from a stream manager. Approving for publication -------------------------- To approve your RFC for publication, please reply to this email stating that you approve this RFC for publication. Please use ‘REPLY ALL’, as all the parties CCed on this message need to see your approval. Files ----- The files are available here: https://www.rfc-editor.org/authors/rfc9530.xml https://www.rfc-editor.org/authors/rfc9530.html https://www.rfc-editor.org/authors/rfc9530.pdf https://www.rfc-editor.org/authors/rfc9530.txt Diff file of the text: https://www.rfc-editor.org/authors/rfc9530-diff.html https://www.rfc-editor.org/authors/rfc9530-rfcdiff.html (side by side) Diff of the XML: https://www.rfc-editor.org/authors/rfc9530-xmldiff1.html Tracking progress ----------------- The details of the AUTH48 status of your document are here: https://www.rfc-editor.org/auth48/rfc9530 Please let us know if you have any questions. Thank you for your cooperation, RFC Editor -------------------------------------- RFC9530 (draft-ietf-httpbis-digest-headers-13) Title : Digest Fields Author(s) : R. Polli, L. Pardue WG Chair(s) : Mark Nottingham, Tommy Pauly Area Director(s) : Murray Kucherawy, Francesca Palombini
- [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-httpb… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Lucas Pardue
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Madison Church
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Madison Church
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Madison Church
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Madison Church
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Lucas Pardue
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Madison Church
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Madison Church
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Lucas Pardue
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Madison Church
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Lucas Pardue
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Madison Church
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Roberto Polli
- Re: [auth48] AUTH48: RFC-to-be 9530 <draft-ietf-h… Madison Church