[httpapi] [IANA #1387836] expert review for draft-ietf-httpapi-api-catalog (link-relations)

David Dong via RT <drafts-expert-review-comment@iana.org> Tue, 17 December 2024 19:32 UTC

Return-Path: <iana-shared@iana.org>
X-Original-To: httpapi@ietfa.amsl.com
Delivered-To: httpapi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6D5CC14F61A for <httpapi@ietfa.amsl.com>; Tue, 17 Dec 2024 11:32:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.884
X-Spam-Level:
X-Spam-Status: No, score=-0.884 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ncvnpbTwOFIH for <httpapi@ietfa.amsl.com>; Tue, 17 Dec 2024 11:32:05 -0800 (PST)
Received: from smtp.lax.icann.org (smtp.lax.icann.org [IPv6:2620:0:2d0:201::1:81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34E1EC14F5E7 for <httpapi@ietf.org>; Tue, 17 Dec 2024 11:32:05 -0800 (PST)
Received: from request7.lax.icann.org (request1.lax.icann.org [10.32.11.221]) by smtp.lax.icann.org (Postfix) with ESMTP id 1CB51E1858; Tue, 17 Dec 2024 19:32:05 +0000 (UTC)
Received: by request7.lax.icann.org (Postfix, from userid 48) id 1A4CDC11D50F; Tue, 17 Dec 2024 19:32:05 +0000 (UTC)
RT-Owner: david.dong
From: David Dong via RT <drafts-expert-review-comment@iana.org>
In-Reply-To: <rt-5.0.3-2622591-1733879172-1553.1387836-9-0@icann.org>
References: <RT-Ticket-1387836@icann.org> <rt-5.0.3-642840-1729555978-1294.1387836-9-0@icann.org> <rt-5.0.3-842982-1729624578-1811.1387836-9-0@icann.org> <2E75DD44-C93F-47A7-8515-028756381BA8@acm.org> <94068C98-BD77-4B8F-8A8E-11D720ADD83D@mnot.net> <rt-5.0.3-925297-1733286810-1405.1387836-9-0@icann.org> <rt-5.0.3-1001905-1733338869-331.1387836-9-0@icann.org> <AM8PR05MB805242DBA64AC6C38F8299F291302@AM8PR05MB8052.eurprd05.prod.outlook.com> <rt-5.0.3-1104351-1733390931-1054.1387836-9-0@icann.org> <rt-5.0.3-2622591-1733879172-1553.1387836-9-0@icann.org>
Message-ID: <rt-5.0.3-795338-1734463925-1688.1387836-9-0@icann.org>
X-RT-Loop-Prevention: IANA
X-RT-Ticket: IANA #1387836
X-Managed-BY: RT 5.0.3 (http://www.bestpractical.com/rt/)
X-RT-Originator: david.dong@iana.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Precedence: bulk
Date: Tue, 17 Dec 2024 19:32:05 +0000
MIME-Version: 1.0
Message-ID-Hash: D4TWR6E6RVCHEHWTBM7JU7WN5FJHNOPM
X-Message-ID-Hash: D4TWR6E6RVCHEHWTBM7JU7WN5FJHNOPM
X-MailFrom: iana-shared@iana.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: httpapi@ietf.org, mnot@mnot.net, julian.reschke@greenbytes.de, julian.reschke@gmx.de, algermissen@acm.org
X-Mailman-Version: 3.3.9rc6
Reply-To: drafts-expert-review-comment@iana.org
Subject: [httpapi] [IANA #1387836] expert review for draft-ietf-httpapi-api-catalog (link-relations)
List-Id: Building Blocks for HTTP APIs <httpapi.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/httpapi/-Mipy8vSiWOsb2B9kw-UX9j00wo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/httpapi>
List-Help: <mailto:httpapi-request@ietf.org?subject=help>
List-Owner: <mailto:httpapi-owner@ietf.org>
List-Post: <mailto:httpapi@ietf.org>
List-Subscribe: <mailto:httpapi-join@ietf.org>
List-Unsubscribe: <mailto:httpapi-leave@ietf.org>

Hi Mark, all,

Following up on this; please see Kevin's response below and on the httpapi list; thank you.

Best regards,

David Dong
IANA Services Sr. Specialist

On Wed Dec 11 01:06:12 2024, david.dong wrote:
> Hi Mark, all,
> 
> Please see Kevin's response below and on the httpapi list; thank you.
> 
> Best regards,
> 
> David Dong
> IANA Services Sr. Specialist
> 
> On Thu Dec 05 09:28:51 2024, kevin.smith@vodafone.com wrote:
> > Dear Amanda, all,
> > 
> > 
> > 
> > Many thanks for raising the issue, I responded on the httpapi list at
> > [1] as follows:
> > 
> > 
> > --
> > HI Amanda, Mark,
> > 
> > 
> > 
> > > In version -06, the registration's "description" field has been
> > 
> > > updated to change "context" to "target domain" (see Section 7.2):
> > 
> > >
> > 
> > > https://datatracker.ietf.org/doc/html/draft-ietf-httpapi-api-catalog
> > 
> > 
> > 
> > Thanks for catching this, it was my mistake - in attempting to resolve
> > a previous comment for draft-05 [2], which had correctly challenged my
> > use of the unclear phrase 'owner of the link context', I mistakenly
> > removed 'context' as well from the description field.
> > 
> > 
> > 
> > As Herbert pointed out (thanks!), Section 3 has the wording I
> > intended. So in draft-07 I propose to change the description in 7.2
> > to:
> > 
> > 
> > 
> > "Description: The link target identifies a resource that represents a
> > list of APIs available from the Publisher of the context resource."
> > 
> > 
> > 
> > All best,
> > 
> > 
> > 
> > Kevin
> > --
> > 
> > [1]
> > https://mailarchive.ietf.org/arch/msg/httpapi/w8VtmpTdXLah8lfyGKkOzptOOLo/
> > 
> > [2] https://github.com/ietf-wg-httpapi/api-catalog/issues/18
> > 
> > 
> > 
> > -----Original Message-----
> > From: Amanda Baber via RT <drafts-expert-review-comment@iana.org>
> > Sent: 04 December 2024 19:01
> > Cc: draft-ietf-httpapi-api-catalog.all@ietf.org
> > Subject: [IANA #1387836] expert review for draft-ietf-httpapi-api-
> > catalog (link-relations)
> > 
> > 
> > 
> > This email originated from outside of the organisation: Verify the
> > sender and content before clicking or downloading. Report this email
> > using Report Message button if unsure.
> > 
> > 
> > 
> > Dear Authors,
> > 
> > 
> > 
> > Please see the message Mark Nottingham (one of three link relations
> > experts) sent to the httpapi list yesterday. I've marked the document
> > "IANA NOT OK."
> > 
> > 
> > 
> > thanks,
> > 
> > Amanda
> > 
> > 
> > 
> > On Wed Dec 04 04:33:30 2024, mnot@mnot.net<mailto:mnot@mnot.net>
> > wrote:
> > 
> > > Hi,
> > 
> > >
> > 
> > > > On 4 Dec 2024, at 6:03 AM, Amanda Baber via RT
> > 
> > > > <drafts-expert-review- comment@iana.org<mailto:comment@iana.org>>
> > > > wrote:
> > 
> > > >
> > 
> > > >> In version -06, the registration's "description" field has been
> > 
> > > >> updated to change "context" to "target domain" (see Section 7.2):
> > 
> > >
> > 
> > > This seems problematic, in that it allows any link on the Internet to
> > 
> > > assert an API catalogue for a given URI. At the very least some
> > 
> > > security considerations about consuming such an assertion should be
> > 
> > > outlined.
> > 
> > >
> > 
> > > Furthermore, it's a deviation from the Web Linking specification,
> > 
> > > which defines a link as involving a context, a target, and a relation
> > 
> > > type. The relation type definition can't modify this relationship. As
> > 
> > > such I suspect that this specification isn't defining a link relation
> > 
> > > per se, it's defining _something else_.
> > 
> > >
> > 
> > > Cheers,
> > 
> > >
> > 
> > >
> > 
> > > --
> > 
> > > Mark Nottingham
> > 
> > 
> > 
> > 
> > C2 General