Re: [Gen-art] Genart last call review of draft-wilde-sunset-header-07

Erik Wilde <erik.wilde@dret.net> Thu, 29 November 2018 22:37 UTC

Return-Path: <erik.wilde@dret.net>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A29D130EDF; Thu, 29 Nov 2018 14:37:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.109
X-Spam-Level:
X-Spam-Status: No, score=-0.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=dret.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9EQVtsIsL7tZ; Thu, 29 Nov 2018 14:37:33 -0800 (PST)
Received: from postoffice.gristmillmedia.com (dret.net [209.188.86.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DC47130EDA; Thu, 29 Nov 2018 14:37:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dret.net; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=L7WPtd8WoWq1ltbfYiOhjck/rwnBkw1Ocvp6d42iPbo=; b=XmnqW6x0oQDonbLKM04qqSI8wt 3Z9C/QEs+CsaHh/ZtFgTsIyM21n9e0s3LUMHg5yWXDDb2jvBGTLNdZ6ePI4nFc2bpzy8EOPb/YaF5 o3rElT0GG+ID2Nh+3QQiLKShykgLgQdzcs5eUPrhm1bhNCmF4tqrMO8QyfkKvYW23bFUf2BV59A5w /eoLsUO7ulvbOCdl9F8PaIr6Y/cSxkFilUrIlg1H/UKUj+sMJlifOXAo1z8mGAfT76kvnXylbwL6G tnuMQnVeergC+9TyUXVaDVrZbxMAYY6go6TE92Oz/JoB5NtWNSOVpqDrqYP9PKLXnHZ/xsAlPMP1m By76GLXQ==;
Received: from [65.196.52.196] (port=53613 helo=dretbook.local) by postoffice.gristmillmedia.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <erik.wilde@dret.net>) id 1gSUw2-0006MF-3g; Thu, 29 Nov 2018 17:37:26 -0500
To: Jari Arkko <jari.arkko@piuha.net>, gen-art@ietf.org
Cc: draft-wilde-sunset-header.all@ietf.org, ietf@ietf.org
References: <154062576395.5617.8725497285559940981@ietfa.amsl.com>
From: Erik Wilde <erik.wilde@dret.net>
Message-ID: <7b9dc702-1627-02a4-db8a-8fdbf56cce8a@dret.net>
Date: Thu, 29 Nov 2018 11:01:59 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <154062576395.5617.8725497285559940981@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - postoffice.gristmillmedia.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - dret.net
X-Get-Message-Sender-Via: postoffice.gristmillmedia.com: authenticated_id: birdhouse@dret.net
X-Authenticated-Sender: postoffice.gristmillmedia.com: birdhouse@dret.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/htssDq70241eN0JHaVpuX9pbRD8>
Subject: Re: [Gen-art] Genart last call review of draft-wilde-sunset-header-07
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2018 22:37:39 -0000

hello jari.

thanks a lot for the review!

On 2018-10-27 01:36, Jari Arkko wrote:
> Summary:
> This is a well-written, understandable and useful piece of specification.
> Thanks for writing it.
> I had a couple of minor observations, but otherwise the draft is ready to be
> published.

that's great to hear. i will make changes according to your review, and 
publish a new version (-08) later this week.

> The section on relation link type discusses who may be reading the linked
> material:
> 
>     This specification places no
>     constraints on the scope or the type of the linked resource.  The
>     scope can be for a resource or for a service.  The type is determined
>     by the media type of the linked resource, and can be targeted at
>     humans, at machines, or a combination of both.
> 
> That's fine, but at the same time my understanding is that there is no media
> type today that would actually be machine readable and usable for your purpose?
> Is this so? If I cannot write code today for a machine to do anything with the
> linked resource, maybe that's something that you'd want to say.  And you
> probably don't want to blindly load and use the
> load-this-executable-and-all-your-linking-problems-are-history media type,
> either :-)

the main idea was that the policy probably would be more often 
documented than described in a fully machine-understandable format.

but i do understand you concerns. i have done two things. right 
underneath the sentence you quoted, i have added the following:

"If the linked resource does provide machine-readable information, 
consumers should be careful before acting on this information. Such 
information may, for example, instruct consumers to use a migration rule 
so that sunset resources can be accessed at new URIs. However, this kind 
of information amounts to a possibly large-scale identity migration of 
resources, so it is crucial that the migration information is authentic 
and accurate."

i have also added a paragraph about the same issue to the security 
considerations section:

"In cases where a sunset policy is linked by using the sunset link 
relation type, clients should be careful about taking any actions based 
on this information. It should be verified that the information is 
authentic and accurate. Furthermore, it should be tested that this 
information is only applied to resources that are within the scope of 
the policy, making sure that sunset policies cannot "hijack" resources 
by for example providing migration information for them."

> The security considerations section does not mention that there might be cases
> where the lifetime information could be sensitive. Are there such cases? The
> only example of that I can come with is that a fixed data retention rule would
> obviously also reveal the time that the organisation in question has learned
> about the data in question, which might be sensitive in some cases.

that's a very good point, i have added that as the very first paragraph 
of the security considerations.

"Generally speaking, information about upcoming sunsets can leak 
information that otherwise might not be available. For example, a 
resource representing a registration can leak information about the 
expiration date when it exposes sunset information. For this reason, any 
use of sunset information where the sunset represents an expiration or 
allows the calculation of another date (such as calculating a creation 
date because it is known that resource expire after one year) should be 
treated in the same way as if this information would be made available 
directly in the resource's representation."

> Nits/editorial comments:
> 
> The example section could perhaps demonstrate the use of the sunset relation in
> addition to the header field.

good point, i added an example after the header field example.

'Before the Sunset header even appears for the first time (it may not 
appear fro the very beginning), it is possible that the resource (or 
possibly just the "home" resource of the service context) communicates 
its sunset policy by using the sunset link relation. If communicated as 
an HTTP header field, it might look as following:

Link: &lt;http://example.net/sunset>;rel="sunset";type="text/html"

In this case, the linked resource provides sunset policy information 
about the service context. It may be documentation aimed at developers, 
for example informing them that the lifetime of a certain class of 
resources is ten years after creation, and that Sunset headers will be 
served as soon as the sunset date is less than some given period of 
time. It may also inform developers whether the service will respond 
with 410 or 404 after the sunset time, as discussed above.'

thanks again for the review. i'll post an updated version soon.

cheers,

dret.

-- 
erik wilde | mailto:erik.wilde@dret.net |
            | http://dret.net/netdret    |
            | http://twitter.com/dret    |