Re: [Gen-art] [Netconf] Gen-art LC review: draft-ietf-netconf-restconf-15
t.petch <ietfc@btconnect.com> Tue, 02 August 2016 09:00 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE4E112D106; Tue, 2 Aug 2016 02:00:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wICjQphEKx7k; Tue, 2 Aug 2016 01:59:58 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0091.outbound.protection.outlook.com [104.47.0.91]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C55B5128E19; Tue, 2 Aug 2016 01:59:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector1-btconnect-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TDNoQzFmr0USwJ5o9kS4XKCHfHQDbNe+tQbJcBUk+VM=; b=On6j4j03nm5Kms99YgDJBavyf4ZTgBAqbR+R5EpVTtsXsBlAaFD67hQE5ERCS0pkiVXpBDrZkojArodPZ6s5Sgo/lxXbVx1LNj/CI6uNNSNmtFdPriBOtN1Cb7YIis3yb0FeBK+UTGXEZSmniqA+EDzVxIipC92db7awleBwils=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
Received: from pc6 (31.50.86.164) by DB5PR07MB1622.eurprd07.prod.outlook.com (10.166.12.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.549.15; Tue, 2 Aug 2016 08:59:53 +0000
Message-ID: <007e01d1ec9b$dea81b20$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Kent Watsen <kwatsen@juniper.net>, Robert Sparks <rjsparks@nostrum.com>, Andy Bierman <andy@yumaworks.com>
References: <5c5a0c28-7cb3-da17-53dc-ec6401be9d1c@nostrum.com> <CABCOCHSEG0VyWvP=oSFDD8kkWR=+-5ACV=1Es=2WfbjYhaV1UQ@mail.gmail.com> <c24eced8-bc26-bb1e-2d4c-fb366cc12f8d@nostrum.com> <00bc01d1ea57$e7889f80$4001a8c0@gateway.2wire.net> <fbcea843-8646-f84e-1cf7-795956f21749@nostrum.com> <43B5D3C7-C488-4B64-9DBC-714483717CD6@juniper.net>
Date: Tue, 02 Aug 2016 09:49:49 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [31.50.86.164]
X-ClientProxiedBy: DB4PR05CA0010.eurprd05.prod.outlook.com (10.160.40.20) To DB5PR07MB1622.eurprd07.prod.outlook.com (10.166.12.149)
X-MS-Office365-Filtering-Correlation-Id: caaddcc7-b4d8-4e9c-0b35-08d3bab35e7b
X-Microsoft-Exchange-Diagnostics: 1; DB5PR07MB1622; 2:T5xwz4+2Ijt+fHfRAW0QQSxNVieGoVecuL3ToyFqaPQmOaD8V11kWDaDua5tqYnhNH8+vNoowXjzjqx176rwmpRKjpfl2rDWzTZLenxagBvJceTgvynHgfeAYcxXnb8HNBQYt+eGr1zq84mD6PuGeffg8EDnTDacLO7XXcexBhCvOEc0y+Rtf1epXQpzcBGD; 3:RSine+zeUgtsWjlBD2Zw2YrtZUyS3qWiHFeKAaFSWgrR1Iyef3dYepq2k8nSw+rmrGYQ88gPo9eiOQIF97vXSPg/BSPyVgv/qMqujBafTDxfQFqs6scGdjI2PqHoyVT1; 25:ejEFUMuJWFqZIgbCgnczRYHJWwVVH4eXJ8F7Ho3QEkBgS4UuCZVNbdmhQKLOda7r4E3mVi3UV/tafGgOYTECp/n7EQD5KT39SKqUx/HvcM6I8tIQXl6px7MziA/yzaD1Xfpe9v8FjIY0RHt8qRGnwco0kDUoBmYLSB7VDQV/5vmJPggOWE/VsMlvzJIv46Ii9/CfRr4y7wris+lksvY1ND5BkTj3ZOul91d3TzNVlhDJgeALy/i/JDSDW5d8hA++Aq2r8rgRc0Oe4D0IaJeR5I1Sn8DY54GF1+0tG+/apaHK2Xcsu5yolzJodr360Qa/r8YyX75vmaZhbVEoGVTdeULDi4FBFdliuE3UoFD4lHtKllBdseRphZfSB8vrEjah1as62d4dztthemlaW6fVp7PgDlRj6+Hj9kNBVLLn4sA=
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB5PR07MB1622;
X-Microsoft-Exchange-Diagnostics: 1; DB5PR07MB1622; 31:ugxMPlIUvzrQpyqLthf4uT2kgtPMMNjKJOOXVFx+tA2TSm2O1CD78ecqRh8RwezIJgYSZDOwQU8zUQqI8bfw49IJkxx4LdO8Kotsw5b+QWJz2mioc/rrm3lTE7WEcPNEU8yG5LAvTGZGvAOYVvYDyTSpFoaw5C7TytmWV3em2w1Hgvar4NoNvySfebqKDad0eTvDZah4ws6wSzHUpS3WElHr71ATH3FnqHHO00gOlUU=; 4:CD/1ReCak2m7HkNmhgmUg3CgMS8MLxDcwN8WZ4/qTBDRyeW2A3OP15vhDaijvEMq9TJp3wbVUhPswtakahTdosCLC0jVzr0gNnAtYI7PQHZJMCd5vufjBZaRhgrY+p1dsY0uhUZtHuMqgr84IDKL4Aq1015WM1jT5gfF9c2Lkx6Y90nqSs6O1Z0pBxXfKWJccBsvpwRgAlNui1A8PawxU9dUZdNNskaCrdEloJR5j5Le3k/VISRhv5B5ibWIHO+/0I7EPuFZYxIpVBBhef5acbY0i45bc7Zw9+hPv2xhICSeMUnJcZwPD2moBbDGndljQLAMTWl5/SpL6rG5ZPThOpQQBTISUbCbJzFwoBYPGV+tPVPwGocsbnFkebrURF4IrVbcBbqNM6VSw7eTYwBuK0WIH/OmJ/PobNpzG76Q9GICDhwWNoMefsFe6nQRVJOmpE6mYjJfAvp/9kQ7hKpft78mBq13B02Ii5w6tlKdyN55Fl03s/qd6UehlaO2JjBrlpQdd0b+duowDMAOSlpmXQ==
X-Microsoft-Antispam-PRVS: <DB5PR07MB16225C939ACFFC67E0635413A0050@DB5PR07MB1622.eurprd07.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(192374486261705)(138986009662008)(788757137089);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046); SRVR:DB5PR07MB1622; BCL:0; PCL:0; RULEID:; SRVR:DB5PR07MB1622;
X-Forefront-PRVS: 0022134A87
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6009001)(7916002)(13464003)(24454002)(199003)(377454003)(189002)(97736004)(81686999)(47776003)(23676002)(8676002)(101416001)(42186005)(92566002)(81156014)(76176999)(189998001)(230783001)(3846002)(6116002)(4326007)(81166006)(81816999)(2870700001)(50466002)(305945005)(5001770100001)(84392002)(62236002)(44736004)(44716002)(93886004)(586003)(1556002)(14496001)(116806002)(2906002)(7736002)(68736007)(86362001)(33646002)(9686002)(15975445007)(1456003)(50226002)(77096005)(106356001)(8666005)(1941001)(50986999)(19580405001)(19580395003)(61296003)(7846002)(105586002)(66066001)(7059030)(74416001)(7726001)(4720700001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB5PR07MB1622; H:pc6; FPR:; SPF:None; PTR:InfoNoRecords; A:0; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;DB5PR07MB1622;23:oUbvbmyQJ63DZXkPnslEs6mfWaMJ4mfMj4ZFSLTXlQgaXqrR6YMlaOogaRQKYar7NlFDokcyuJT3U0wCFq8R14vV80OS8MYYqe9DLqXP0wpGeCEhaxXG+i1yqrKA6HurGynp9QrXT1eXG7SXJGloOgl5LYi4wKYVAIFRHSYOTyxl+cBPjuaDp7UBUYf/IDaLyX7fDQ6ZS1hU2W7w7pzQIGeGisc4u45Q7uvR+IrH4Efwoidhy38ZkCsDdUYfUHJWX4lOuD+/PQVID37WIlSRdIvhPs92FOavd8t5P08UeAyHwepxcO6NGNr5/SdVCOfz5Ycgj+/pscYLSItURaVOPDLY4BQjl8SM6Rdc4xhb0vb2bSyiD5rYK3nxpJ0Bk3ZwZYvDglhdZab2rTJ9+sEVj9zOlWuQQRHrg8XfY1jWHE4/M3peiRIAAcF4ZETVVaaOwZp90zD6kwYX5OtQpoGl7DrMJ5pG35aTDqGrJy7b4QNncPakxTh9qqPVtiUjv3UrGpECdPl0FPnBlg2EkH9XtWD39yPmV0hfNSiF8e0y+sWir71Ab274SHLAeywKXJJpMPthSbx08J6MsDtSj2Wv6PfFMzeD9gcxTuSP7pqL/xy89rNGoEytmMFvTArOnHRrMLG94HhtcxTxnln+KP1hlFO5dNlMUci3RD6t3OjXgaPUGE6UvYxIkWrQniOwUv51h1fzsE542yMFZ4se/iHAUvFSYH8lgFHJYRlzX8F5/iVv90Hvm839jRs86iuqP3Azq799gTi3huJCmhXxcqcWlCUBtrktXsZ5cAb2ZhmT4fhdfimX8jJ2Zn6NsHubujkRmliyK6Mpj1hFdaxzJ4cEgMXuI2oACSDTMyPYjxL9sLPHemzz/r0814CNMTwPHQBjZREkiDnoQhxNTa3qSwRmgHf8cdO/TFvsHPTkKVb33Q3oCgXoA2m30toqn2PyWFCTDSkduSpkRNwEbjfe72/fMi3cSSGhpPq0qccc8m3pR3WM1SrAE56VtMH0F7tpnraUQW63kLXWLdiVq4KujjWt63jnln6PmvrfGuuFviCFkupkTWe6aTuMpuWV3+73a+AtX8riPhp19H/L5p1TQQehSTaZWEm4z5uiUVIWgRbFEySR4Xnhdkyw9C+R1CNLgPN1COFFiRt0a3cZbkNz+BI6iK/0nJNdHEo0u9SoFZHiGQ+WIS9C4HdgwWCXaLEJgq8CXcU7EWKcHNv/hUHKY02edhDT5n3G2YMRxRNSRkCLJGBwqCW9sOkq8d/+dBBsHwjxb0qDYcNt2FL1RW+/QIg3mb1oW3n10tTr9Y//J/NqbuVG4xOuySRTU77es0ipQQf/uRWnMx63iGuGrd1MDbg89gWsfdhAHaG4swQGEEr00v0ON8WQVJfv+X5/9OhgNnAsGjppSXdl+eDalW+ZVzD6jQ0dGQ4OgaHN4TBE/bMVvOkZvdQg3IeSrQMVhkYad9Iy5elZlvqnw34bs0OniDtL2A==
X-Microsoft-Exchange-Diagnostics: 1; DB5PR07MB1622; 6:uknAITccpuNW5bOgo9Zl4tTkPacMVzfm6TxGbJZSl9eAjnd/swWL29Qaa32W+TYDVe/nNnCEWfe02NmvI0XiNmZRAtaIbHbgVK8SeEYe4+ENpeFzkxFmh0ag5PjeEENuYXZcs1T0xW6Q3PB6NuDceHCvQy8YkDfv9mjI+QCEhWP5OU9lVy566a5CnTfFry9EjY+Q82rGWQCLm33jNz3mOEdqO4Idz1eBq1XL1yyzTiSIZD0By926c7ZzQv0UUKs+Lds/xWY3NuRRGBjpVz06dJeVG2IxEVv9TC1yAPmF0h4=; 5:zGIpydRyb+XwR0mIrCE+qGDOOZnuSRDyEbQLk9JaU/y0kd0543LoOp4I6FMvHAtIm8/oVBcapwEj/h9UcB9fNM52B4m9R/DuzO+OyXT/RfRdnRH6icAf/JorladBaqfi+WJzi6QTwoMyxdaZIBO/lA==; 24:zeahVFLq9FGI8W1ix8R+A1dPUhFFNGrz3My0ZK4Obi8owkbncYPPLJJqyZ5hx/0TN9RewlrSDcX9QZbcBidxwhS7DGrAWtYLBlMWpSZG0wM=; 7:9MZ4fj+eFPzh5uMyCYBvHkde9KRLHfefC7xNt+C8j/qmjCY1HJcM6uWzAK+cRyWIku9nzNYkRhkTmYqL9SeJizgyAl4HPmZgqQLaex8c2MSfEC5TgQPg90EGLeT+Gi1BX/kU2Top3dNSwTGUzlugJekzlddVFeNXhrHcWgTBB4Wb5pPNXuR2FSo2pBifdV0hJoXXNpPXn3PjRoWohSQiAENs3TjxH7i8v3djT8SuaOK9lSC5Jjq2pzdObR2Jnrtk
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Aug 2016 08:59:53.0711 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR07MB1622
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/Oinn1w2ajCy1oMPE7SoDdL14RBw>
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-netconf-restconf.all@ietf.org, Netconf <netconf@ietf.org>
Subject: Re: [Gen-art] [Netconf] Gen-art LC review: draft-ietf-netconf-restconf-15
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 09:00:02 -0000
Kent Yes, good now, Tom Petch ----- Original Message ----- From: "Kent Watsen" <kwatsen@juniper.net> Sent: Monday, August 01, 2016 10:17 PM > > To address the Gen-Art comment, below I replaced “as defined in [RFC5246]” with “, as described in Section 7.2.1 of [RFC5246]”. Good now? > > Additionally, while looking at Section 2.3, I realized an opportunity to fix a couple more things. First, when looking at RFC 7589, Section 5, I see the language “certificate obtained by a trusted mechanism”, which I think is better than saying it has to match a locally configured fingerprint. Second, I found a redundant sentence which seemed misleading. Finally, I collapsed the two paragraphs into one since they ’re more connected than not. The net result follows: > > NEW > > 2.3. Certificate Validation > > The RESTCONF client MUST either use X.509 certificate path validation > [RFC5280] to verify the integrity of the RESTCONF server's TLS > certificate, or match the server’s TLS certificate with a certificate > obtained by a trusted mechanism (e.g. a pinned certificate). If X.509 > certificate path validation fails, and the presented X.509 certificate > does not match a certificate obtained by a trusted mechanism, the > connection MUST be terminated, as described in Section 7.2.1 of > [RFC5246]. > > > OLD: > > 2.3. Certificate Validation > > The RESTCONF client MUST either use X.509 certificate path validation > [RFC5280] to verify the integrity of the RESTCONF server's TLS > certificate, or match the presented X.509 certificate with locally > configured certificate fingerprints. > > The presented X.509 certificate MUST also be considered valid if it > matches a locally configured certificate fingerprint. If X.509 > certificate path validation fails and the presented X.509 certificate > does not match a locally configured certificate fingerprint, the > connection MUST be terminated as defined in [RFC5246]. > > > This change will be made in a few days if no objection is raised by then. > > Thanks, > Kent > > > On 8/1/16, 1:57 PM, "Netconf on behalf of Robert Sparks" <netconf-bounces@ietf.org on behalf of rjsparks@nostrum.com> wrote: > > > > On 7/30/16 6:45 AM, t.petch wrote: > > Robert > > > > Picking up on the point about terminating the connection when a > > certificate validation fails, this is a straight lift from 'Netconf > > over TLS', RFC7589, where the reference is also in Section 4 which makes > > it clear (to me:-) that the reference is to how the connection is > > terminated, as per RFC5246 s.7.2.1, and nothing to do with the > > certificate validation, which is as per RFC5280. > Perhaps having the s.7.2.1 reference in the text in this document (that > part wasn't > included in the lift from 7589) would have let me to interpret the > sentence that way, > after following the reference. I suggest a light touch to the sentence > to make it clear > that you are talking about "how to terminate the connection" > not"terminating the > connection because the cert check failed" with the reference. > > (And this should be moved to a nit since it's an editorial clarification). > > > > > Tom Petch > > > > ----- Original Message ----- > > From: "Robert Sparks" <rjsparks@nostrum.com> > > To: "Andy Bierman" <andy@yumaworks.com> > > Cc: "General Area Review Team" <gen-art@ietf.org>; > > <draft-ietf-netconf-restconf.all@ietf.org>; <ietf@ietf.org>; "Netconf" > > <netconf@ietf.org> > > Sent: Friday, July 29, 2016 9:47 PM > > Subject: Re: [Netconf] Gen-art LC review: draft-ietf-netconf-restconf-15 > > > > > >> > >> On 7/29/16 3:36 PM, Andy Bierman wrote: > >>> Hi, > >>> > >>> I will add this review to the list. > >>> A new version in in progress. > >>> Some comments inline > >>> > >>> > >>> On Fri, Jul 29, 2016 at 1:11 PM, Robert Sparks <rjsparks@nostrum.com > >>> <mailto:rjsparks@nostrum.com>> wrote: > >>> > >>> I am the assigned Gen-ART reviewer for this draft. The General > > Area > >>> Review Team (Gen-ART) reviews all IETF documents being processed > >>> by the IESG for the IETF Chair. Please treat these comments > > just > >>> like any other last call comments. > >>> > >>> For more information, please see the FAQ at > >>> > >>> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > >>> > >>> Document: draft-ietf-netconf-restconf-15 > >>> Reviewer: Robert Sparks > >>> Review Date: 28Jul2016 > >>> IETF LC End Date: 3Aug2016 > >>> IESG Telechat date: not yet scheduled > >>> > >>> Summary: > >>> > >>> Major issues: > >>> > >>> * I am not finding any discussion in the Security Considerations > >>> or in the text around what a server's options are if a client is > >>> asking it to keep more state than it is willing or capable of > >>> holding. The possible values of the "depth" query parameter > >>> (particularly "unbounded") points out that a misconfigured or > >>> compromised client might start creating arbitrarily deep trees. > >>> Should a server have the ability to say no? > >>> > >>> > >>> > >>> I guess we need more text somewhere explaining the "depth" parameter > > is > >>> a retrieval filter. > >> I got that. It's existence, however, caused me to think about the fact > >> that what is stored at the server can be arbitrarily deep. Clients > > using > >> POST can build trees that are arbitrarily deep, with bits at the node > >> that are arbitrarily large (subject to the constraints the YANG models > >> put on the node). There should be some discussion acknowledging that > >> this can happen, and discussion of what the server can do if some > > client > >> starts asking it to store more than it is willing to store. > >>> It is not used to create anything in the server. > >>> The server does not maintain any state except during the processing > > of > >>> the retrieval request > >>> > >>> > >>> * The third paragraph of 3.7 paraphrases to "SHOULD NOT delete > >>> more than one instance unless a proprietary query parameter says > >>> it's ok". This isn't really helpful in a specification. > >>> Proprietary things are proprietary. The SHOULD NOT already > > allows > >>> proprietary things to do something different without > > trainwrecking > >>> the protocol. Please just delete the 2nd and 3rd sentence from > > the > >>> paragraph. > >>> > >>> > >>> OK > >>> > >>> > >>> * Section 2.3 says "If X.509 certificate path validation fails > > and > >>> the presented X.509 certificate does not match a locally > >>> configured certificate fingerprint, the connection MUST be > >>> terminated as defined in [RFC5246]." RFC5246 doesn't really talk > >>> about certificate validation, and it certainly doesn't say "the > >>> connection MUST be terminated" when certificates fail to > > validate. > >>> What are you trying to point to in RFC5246 here? Should you be > >>> pointing somewhere else? (It's perfectly reasonable for the > >>> document to reference RFC5246, and it does so elsewhere without > >>> problem). > >>> > >>> > >>> > >>> Please suggest replacement text if we are citing the wrong RFC. > >>> I will ask Kent to look into this issue > >>> > >>> > >>> Minor issues: > >>> > >>> * "A server MUST support XML or JSON encoding." is ambiguous. > > (2nd > >>> paragraph of 5.2). Did you mean the server MUST support at least > >>> one of XML or JSON but not necessarily both? I think you really > >>> intended that the server support BOTH types of encoding. > >>> > >>> > >>> No -- it will be clarified that the server must support at least 1 > > of > >>> the 2 > >>> > >>> > >>> * I _think_ I can infer that PUT can't be used with datastore > >>> resources. Section 3.4 only speaks of POST and PATCH. Section > > 4.5 > >>> speaks about "target data resource" and is silent about > > datastore > >>> resources. If I've understood the intent, please be explicit > > about > >>> datastore resources in 4.5. If I've misunderstood then more > >>> clarity is needed in both 3.4 and 4.5. > >>> > >>> > >>> The next draft will be clarified to allow PUT on a datastore > > resource > >> Hrmm - that makes me less comfortable that you are actually aligned > > with > >> 7231. It may just be that you need to be more precise with your > >> description, but per 7231, PUT never creates resources - it can create > >> or replace the state of a resource. > >>> * In 3.5.3.1 you restrict identifiers with "MUST NOT start with > >>> 'xml' (or any case variant of that string). Please call out why > >>> (or point to an existing document that explains why). > >>> > >>> > >>> OK > >>> > >>> > >>> * The text in 5.3 about access control interacting with caching > >>> (added based on my early review I think) doesn't mesh well with > >>> paragraph 3 of section 5.5. There you tell the client to use > > Etag > >>> and Last-Modified, but in 5.3 you say it won't work reliably > > when > >>> access permissions change. At the very least 5.5 should point > > back > >>> into the paragraph in 5.3. > >>> > >>> Nits/editorial comments: > >>> > >>> * Introduction, 4th paragraph - please change "MAY provide" to > >>> "provides". Section 3.6 explains the cases where there is choice > >>> in what to provide. > >>> > >>> > >>> * Section 2.3 paragraphs 1 and 2. There is edit-itis here left > > (I > >>> suspect) from working in matching fingerprints. Consider > > combining > >>> and simplifying these two paragraphs after improving the > > reference > >>> issue called out above. > >>> > >>> * Section 4 says "Access control mechanisms MUST be used to > >>> limit..." This is not a good use of a 2119 MUST. I suggest > >>> replacing "MUST be" with "are". The subsequent text already > >>> captures the actual normative requirements on the server. > >>> > >>> * Section 12 says "this protocol SHOULD be implemented > > carefully". > >>> That is not a good use of a 2119 SHOULD. It is not a protocol > >>> requirement. I suggest reformulating this into something like > >>> "There are many patterns of attack that have been observed > > through > >>> operational practice with existing management interfaces. It > > would > >>> be wise for implementers to research them, and take them into > >>> account when implementing this protocol." It would be far better > >>> to provide a pointer to where the implementer should start this > >>> research. > >>> > >>> * (micronit) Lots of examples are internally inconsistent wrt > >>> dates. For instance, look at the 200 OK in section 3.3.3 - it > > says > >>> that back in 2012, a server returned something talking about a > >>> library versioned in 2016. > >>> > >>> > >>> > >>> Andy > >>> > >> > > > > ---------------------------------------------------------------------- -- > > -------- > > > > > >> _______________________________________________ > >> Netconf mailing list > >> Netconf@ietf.org > >> https://www.ietf.org/mailman/listinfo/netconf > >> > > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf > > >
- Re: [Gen-art] Gen-art LC review: draft-ietf-netco… Robert Sparks
- Re: [Gen-art] [Netconf] Gen-art LC review: draft-… Robert Sparks
- Re: [Gen-art] [Netconf] Gen-art LC review: draft-… t.petch
- Re: [Gen-art] [Netconf] Gen-art LC review: draft-… Kent Watsen
- Re: [Gen-art] [Netconf] Gen-art LC review: draft-… t.petch
- Re: [Gen-art] Gen-art LC review: draft-ietf-netco… Andy Bierman
- Re: [Gen-art] Gen-art LC review: draft-ietf-netco… Andy Bierman
- [Gen-art] Gen-art LC review: draft-ietf-netconf-r… Robert Sparks