[httpapi] Re: Genart last call review of draft-ietf-httpapi-deprecation-header-06

Robert Sparks <rjsparks@nostrum.com> Thu, 12 September 2024 20:25 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: httpapi@ietfa.amsl.com
Delivered-To: httpapi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50681C14F68D; Thu, 12 Sep 2024 13:25:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.514
X-Spam-Level:
X-Spam-Status: No, score=0.514 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_DISCARD=1.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgQMbW6mW4-m; Thu, 12 Sep 2024 13:25:28 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A466DC14F5E8; Thu, 12 Sep 2024 13:25:28 -0700 (PDT)
Received: from [192.168.1.102] ([47.186.48.51]) (authenticated bits=0) by nostrum.com (8.18.1/8.18.1) with ESMTPSA id 48CKPNGU075918 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 12 Sep 2024 15:25:24 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1726172724; bh=eeoII6pMfk0ABnHFMSCrRC0Zp/IKUEy2v8FjMXfhHMo=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=NoaXgCZsRImYgBGO2C0hJKi2Oq/GAtgKFJWkPbGdryvTmo3F33h0kqhT7vcMJmURp IUaweDqMfbEcvju7Bw3Bjs0IefdFVNqSGuotdOeZS+Fi9g/qEECmloGLGClUEKgIJV /5W9FrNUYXZ4dB78i68xQRCkNMQa5nGP+iwxdjeo=
X-Authentication-Warning: raven.nostrum.com: Host [47.186.48.51] claimed to be [192.168.1.102]
Content-Type: multipart/alternative; boundary="------------oYzVbcyQfzrcBQzICPm70utF"
Message-ID: <27047c8f-f7f9-41ed-b8f7-9d99b986a4cd@nostrum.com>
Date: Thu, 12 Sep 2024 15:25:18 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Sanjay Dalal <sanjay.dalal@cal.berkeley.edu>
References: <172495211361.123124.2723878160072081658@dt-datatracker-68b7b78cf9-q8rsp> <CAC5fHGO9t+whubwF_dRsstp-nmMtVQsm2PvBKuQghNfG8MHd7A@mail.gmail.com> <09852143-a770-42a0-b25a-63887661f261@nostrum.com> <CAC5fHGP+xxcp2+OUVwEwdz=iwdJaqyyXmtLPZaZzFmcp5=4HMw@mail.gmail.com>
Content-Language: en-US
From: Robert Sparks <rjsparks@nostrum.com>
Autocrypt: addr=rjsparks@nostrum.com; keydata= xsDNBFx4PQwBDADIIJqFKIeYNmVR3iH8YnNqwApV+ci83VqFaPg0UXZAZ1utH/2O2LOLJKmV Ol11+lOSfH4OJgpARt37PWbqfG2TzzGfEucRBPMAV8TEDmzKL+7/OUMLEoPeexgxz6ADxK2Q ACKKzHhF30y4fx2fn9rYZrCvYHV9HDKcfFotNLna0U6P6wu70L0mT2hcjQgZ7+8HSZCpK2XG PTya1mEiMklH6+UHfcTLoAxd3chQiseRi19/TQZZCD3LuuaGFWyTIeF9ZNWV9yL0HQeb/XMs tmZnObSSHSUbZwn5PR9Uf+3iW7jdG5JuXBvNbDpAHfLyPXRqxErM/nCLrbwGB6AgNSKFCwkL lb3uxsGFWcOt6sedrjixoVUO2k4zQWVnCUCwFHGrgIxUK24dI8oqydGPctXAKj5VqoCVJBv6 4JxSpiR+V8fl3A8gksBUnuIMLNlRjB5RAgZaSUpaOkXsWUBA8Z75wQWoIzkJIeMm29w2l1kB B9kGMdyiXGr2JV8VQZ4lAscAEQEAAc0kUm9iZXJ0IFNwYXJrcyA8cmpzcGFya3NAbm9zdHJ1 bS5jb20+wsEUBBMBCAA+FiEEGNywdGDCHUYBwWN3bipqV3X5ExgFAmXhDnYCGwMFCQ0rmNQF CwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQbipqV3X5ExiEpwwAknrYjNHDI2l50IC1lpQB SnmCLvuu4pEESpRaBx1Te7vZBHr740dMbKQv/ZYYekw/NfFfoq2Ptguz5BXHwtyx3hKKjBUA U/rP62bl+x77yTJ0+I5k2hJ1p1DWNqXHWK3SEM0IUvjWpMGlfXPu7iVYCBGPKBDglQ4GWpzU HmSAX/8Zww6+ZbrXM0VgA+hLSHivyHextX4mJwoLRcuY99ecvkdWwFnKoDlEsKozdv9NW+QT h1rFvAtXf2ZCGwIveAMJPbHbRY3uFVp+oMvBbP7m5teffB8Ki5kuO1Y1Wqd9UPhiVDZmUuyC PXymQErskbOB6DcNSSFH7ZHuLM4V+zyziYWTT6foBv0ynA+a3Ofxo+rKPVHLybZlO9bQcI0Q TIE8yT0oqd3kWMaMIyrKZURVUpzcDgRnx6ujckLLyAC1H8L0tuntPwZOo5PAq3P7SUiWlc0L 5HbA0L//BE6eeWn6U3xOgaJNF2+YRVICNtWpXcR3Mr4k1uXW4JkE7lyoufbnzsDNBFx4PQwB DAC03e1kk41e9Z9FuVW8UKWIkVUBeH3gfJMsb94d/c0cqBMRw5rulSY7+U76rw4AXo792LZn ydjDfoL0GQxGqkrZh397Sn9P/sLCb5I+wC14251nkmh5tmU2sQqCk+g9nykcE/NJft/zFkeb HHCKAosK6glO+W0YPHc/k7nXt/fLz7dMRpFpmqFXWjeN2VtwKr9znMg9+iX6XfgAJPMdDNH8 fn30Cp5TIsn5WCI70+JztgvfjFhD15Eb3rtDdOfOydjGCV2ZVxfM8ECmc8Z3DrThyiC2M3uo 2Y50rs6MH+TmVCtpHkISnH7B+80Vy2SC60K9l2xgCaezN1SlkQy3ZpprzcDrNTI8FcJa/UUM ayMGvSDGEGuHZRaNUyXP3jQ8oss+067axmNr5vgjpf01kmE1RJtiGEDWmCr8u1SbVQjdax6C pDqq3RKoX2ZVGLtkdDYZbsqSq4TgmFukoijWRbLxsFBdeEgruTViWRw4PKZav0piLxrhHUGI m6F6JFngapUAEQEAAcLA/AQYAQgAJhYhBBjcsHRgwh1GAcFjd24qald1+RMYBQJl4Q52AhsM BQkNK5jUAAoJEG4qald1+RMYaCML/jp+3W9OedMRVk5XQ3Urxu7g09qaeAfBAArLlE7F13Xt WuGUN7JwZ8hZt8Rsx1+Uz/Zq2TIPjl8PmgIqCSkuvZrxacr+drYARtO00Af71qHVoh4gZTae iOwEuOGhhtCVI3vvKLMDv1ex0scvD4rJTsIk/zqEDCJNDVOf09Szj0CW0vJOYxrIV0sG/UoM 7Ui5/eB4tlN5AFIXuTJzo6BzaUAJVut74Ss2i93qwtwjGw44iEqPVhqKMCDYuB9+bm13ft+H Vr7viRZobd+60NTWrfZhkpmzhb4Qiib9qXhrUoa2EXqVOIy+LMQoiwjF9/iK+5FSA18c52FP ODkDgkica826W9AnBasS6gXQr0bO1BCJu84Fp2RQcjB4IFP+sKVoN3EZTByyUKK4NnSLF3lJ /G+vQhisnuJS+e+emZ8UxZBOK8upAhrhHJj0Wju2W0uTQTxlBME0/uNsvA/KaudLNhlQiUYN 7Fl3rswvQk/iD+utnQdWJbRgIsqesNXbQCOimQ==
In-Reply-To: <CAC5fHGP+xxcp2+OUVwEwdz=iwdJaqyyXmtLPZaZzFmcp5=4HMw@mail.gmail.com>
Message-ID-Hash: MCT7LV24K72WRBPTLRCVE2KOBBH675FG
X-Message-ID-Hash: MCT7LV24K72WRBPTLRCVE2KOBBH675FG
X-MailFrom: rjsparks@nostrum.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: gen-art@ietf.org, draft-ietf-httpapi-deprecation-header.all@ietf.org, httpapi@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [httpapi] Re: Genart last call review of draft-ietf-httpapi-deprecation-header-06
List-Id: Building Blocks for HTTP APIs <httpapi.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/httpapi/w6T0uIFla_3V31jkkS4y23vGcqc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/httpapi>
List-Help: <mailto:httpapi-request@ietf.org?subject=help>
List-Owner: <mailto:httpapi-owner@ietf.org>
List-Post: <mailto:httpapi@ietf.org>
List-Subscribe: <mailto:httpapi-join@ietf.org>
List-Unsubscribe: <mailto:httpapi-leave@ietf.org>

Thanks - its going in the right direction I think.

Please look again where you are saying applications will make an 
educated guess and if that's really _software_ maybe choose different 
words than "educated guess"? Software can't do that.

RjS

On 9/12/24 3:20 PM, Sanjay Dalal wrote:
> Hello Robert,
>
> Thanks for clarifying. Take a look at 
> https://github.com/ietf-wg-httpapi/deprecation-header/commit/5d4a4f65175001cea293204c9e245388f1552d45. 
> I went ahead and re-looked where a human would be needed and added 
> "developer" over there.
>
> If you are ok now, I will mark this issue resolved. We will publish 
> the draft once we have addressed comments we may receive from other 
> reviewers.
>
> regards,
> sanjay
>
> On Thu, Sep 12, 2024 at 9:34 AM Robert Sparks <rjsparks@nostrum.com> 
> wrote:
>
>     Thanks Sanjay -
>
>     I think there's still some tension to resolve on who has agency in
>     several places. With the description in section 6.2 in mind
>     (particularly at "intended for human consumption", please look
>     again at the places you've changed "client" to "client
>     application". You're still talking in places of having the
>     application do things an application can't do. Only the
>     application developers can do them.
>
>     What does it mean for an application to make an educated guess?
>
>     How does an application inspect (and make sense of) a home document?
>
>     In both of those places, and others, you are talking about humans
>     doing things, not applications.
>
>     RjS
>
>     On 9/12/24 11:19 AM, Sanjay Dalal wrote:
>>     Hello Robert,
>>
>>     Thanks for your review comments. We captured your review notes in
>>     https://github.com/ietf-wg-httpapi/deprecation-header/issues/35
>>     and we have addressed those. Draft 08 published today
>>     https://datatracker.ietf.org/doc/draft-ietf-httpapi-deprecation-header/
>>     incorporates all your comments per our understanding. Let me know
>>     if something is missed.
>>
>>     regards,
>>     sanjay
>>
>>     On Thu, Aug 29, 2024 at 10:21 AM Robert Sparks via Datatracker
>>     <noreply@ietf.org> wrote:
>>
>>         Reviewer: Robert Sparks
>>         Review result: Almost Ready
>>
>>         I am the assigned Gen-ART reviewer for this draft. The
>>         General Area
>>         Review Team (Gen-ART) reviews all IETF documents being processed
>>         by the IESG for the IETF Chair.  Please treat these comments just
>>         like any other last call comments.
>>
>>         For more information, please see the FAQ at
>>
>>         <https://wiki.ietf.org/en/group/gen/GenArtFAQ>.
>>
>>         Document: draft-ietf-httpapi-deprecation-header-06
>>         Reviewer: Robert Sparks
>>         Review Date: 2024-08-29
>>         IETF LC End Date: 2024-09-06
>>         IESG Telechat date: Not scheduled for a telechat
>>
>>         Summary:Almost Ready for publication as a Proposed Standard
>>         (?) RFC
>>
>>         Why is this standards track? The shepherd's writeup
>>         explanation of "that makes
>>         sense since it defines a new HTTP header field" seems at odds
>>         with RFC8594
>>         being Informational. Should that have been standards track?
>>
>>         Generally, the document would benefit from an editorial pass
>>         further clarifying
>>         when it is talking about an application or a developer. There
>>         are many points
>>         where it says application or client when it means developer.
>>         Some key
>>         instances: * Introduction: "informs applications about the
>>         risk" * Security
>>         considerations "Applications consuming the resource SHOULD
>>         check the referred
>>         resource documentation to verify authenticity and accuracy."
>>         * Security
>>         considerations "Therefore, applications consuming the
>>         resource SHOULD, if
>>         possible, consult the resource developer to discuss potential
>>         impact due to
>>         deprecation and plan for possible transition to a recommended
>>         resource(s)"
>>
>>         There is a contradiction between section 5's "Deprecated
>>         resources SHOULD keep
>>         functioning as before" and the Security Consideration's
>>         "Deprecated resources
>>         MUST function (almost) as before,"
>>
>>         In both cases, "function as before" is not really what you
>>         mean. "function as
>>         they would have without sending the deprecation header" is
>>         closer. As written,
>>         (particularly if the MUST above is what you intend), this
>>         puts an unverifiable
>>         requirement on the resource. I suggest changing the language
>>         similar to what I
>>         suggested you mean. Or, better, step back and reformulate
>>         this as a simple
>>         statement that the presence of a Deprecation header is not
>>         meant to signal a
>>         change in the meaning or function of a resource in the
>>         context of this
>>         response, and avoid using 2119 keywords.
>>
>>         I realize that Appendix A won't appear in the resulting RFC,
>>         but the drafts
>>         will still be in the archive. Calling an internet draft an
>>         implementation and
>>         an organization is just strange. Revising the draft to use a
>>         separate section
>>         (or just a sentence) to say
>>         draft-loffredo-regex-rdap-jcard-deprecation is a
>>         specification that says to use this mechanic would make more
>>         sense than listing
>>         it as an implementation.
>>
>>         Since the WG felt using structured fields was important for
>>         this header,
>>         consider creating a Structured-Sunset header field.
>>
>>
>>