Alex Rousskov <rousskov@measurement-factory.com> Tue, 30 April 2013 20:48 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 0CA2A21F9C2F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 30 Apr 2013 13:48:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.299
X-Spam-Status: No, score=-10.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 0PFhB9+D05hL for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 30 Apr 2013 13:48:27 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org []) by ietfa.amsl.com (Postfix) with ESMTP id 72BDC21F955A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 30 Apr 2013 13:48:16 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UXHRl-0003C0-4f for ietf-http-wg-dist@listhub.w3.org; Tue, 30 Apr 2013 20:46:45 +0000
Resent-Date: Tue, 30 Apr 2013 20:46:45 +0000
Resent-Message-Id: <E1UXHRl-0003C0-4f@frink.w3.org>
Received: from lisa.w3.org ([]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <rousskov@measurement-factory.com>) id 1UXHRb-0003AX-H2 for ietf-http-wg@listhub.w3.org; Tue, 30 Apr 2013 20:46:35 +0000
Received: from measurement-factory.com ([]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <rousskov@measurement-factory.com>) id 1UXHRa-0001VG-6u for ietf-http-wg@w3.org; Tue, 30 Apr 2013 20:46:35 +0000
Received: from [] (localhost []) (authenticated bits=0) by measurement-factory.com (8.14.3/8.14.3) with ESMTP id r3UKk9sP032585 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ietf-http-wg@w3.org>; Tue, 30 Apr 2013 14:46:11 -0600 (MDT) (envelope-from rousskov@measurement-factory.com)
Message-ID: <51802D89.6000001@measurement-factory.com>
Date: Tue, 30 Apr 2013 14:46:01 -0600
From: Alex Rousskov <rousskov@measurement-factory.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: IETF HTTP WG <ietf-http-wg@w3.org>
References: <D69329FD-7456-46C5-BE24-6E7EE7E48C39@mnot.net>
In-Reply-To: <D69329FD-7456-46C5-BE24-6E7EE7E48C39@mnot.net>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=; envelope-from=rousskov@measurement-factory.com; helo=measurement-factory.com
X-W3C-Hub-Spam-Status: No, score=-2.5
X-W3C-Hub-Spam-Report: RP_MATCHES_RCVD=-2.509, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UXHRa-0001VG-6u dc3b0d8935c42f478fb046e3dcfb9560
X-Original-To: ietf-http-wg@w3.org
Subject: WGLC: p2 MUSTs
Archived-At: <http://www.w3.org/mid/51802D89.6000001@measurement-factory.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17733
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>


    These comments are based on the "latest" snapshot dated Tue 30 Apr
2013 07:24:09 AM MDT at

I hope these comments can be addressed by editors alone, but I apologize
in advance if some are found too controversial and should have been sent

> The CONNECT method requests that the recipient establish a tunnel to
> the destination origin server [...], until the connection is closed.

The "until the connection is closed" part is misleading and inaccurate.

There are two connections in a CONNECT tunnel: (a) between a CONNECT
sender and CONNECT recipient and (2) between CONNECT recipient the the
next HTTP hop. The tunnel termination condition is rather complex and is
detailed later in the same section. It may be a good idea to drop the
"until..." part. At least I cannot suggest a way to describe it
correctly as an ending of an already long sentence :-).

> When a tunnel intermediary detects that either side has closed its
> connection, any outstanding data that came from that side will first
> be sent to the other side and then the intermediary will close both
> connections. If there is outstanding data left undelivered, that data
> will be discarded.

These "will"s should be rephrased as intermediary MUSTs IMO. I also
suggest moving them higher, before the informal risk discussion.

> A client MUST NOT send header fields in a TRACE request containing
> sensitive data

The above rule seems too onerous to proxies. Replace "MUST NOT send"
with "MUST NOT generate"?

> Use of the 100 (Continue) Status
> Requirements for HTTP/1.1 clients:
> Requirements for HTTP/1.1 proxies:

Should we explicitly exclude proxies from the first group of
requirements by saying "Requirements for user agents" instead of
"Requirements for clients"?

> MUST contain an updated Max-Forwards field with a value decremented by one (1).

A lot of proxies violate this MUST because they cannot grok and, hence,
cannot decrement large integer values. Interoperability problems might
happen when a client generates Max-Forwards with a maximum value it can
store (e.g., to count the number of hops to the origin server) but the
proxy cannot store such a large value (e.g., 64bit vs 32bit).

Perhaps we can relax this rule by allowing proxies to decrement by "at
least one", so that a huge value can be replaced with the maximum value
the proxy can represent?

> A client MUST be prepared to accept one or more 1xx

Drop "be prepared" to demand acceptance rather than preparedness?

> Proxies MUST forward 1xx responses, unless the connection between the
> proxy and its client has been closed,

This "unless" clause should be dropped as implied. Otherwise, we would
have to add it to every "MUST forward" requirement! :-)

> A sender MUST generate the IMF-fixdate format when sending an
> HTTP-date value in a header field.

Please polish to remove the implication that proxies must fix dates when
forwarding HTTP-date values. For example: "A sender MUST use the
IMF-fixdate format when generating a header field containing an
HTTP-date value".

Or perhaps simply: "A sender MUST generate HTTP-date values in the
IMF-fixdate format".

And here is a list of requirements that are missing an explicit actor on
which the requirement is placed. Most of these should be easy to
rephrase to place the requirement on the intended actor (e.g., "A proxy
MUST" instead of "header field MUST":

> the content codings MUST be listed in the order in which they were applied

> then the resource MUST disable or disallow that action

> The Expect header field MUST be forwarded

> the forwarded message MUST contain an updated Max-Forwards field

> The Max-Forwards header field MAY be ignored for all other request methods. 

> a response with an unrecognized status code MUST NOT be cached. 

Please be careful with "send" and "generate" when fixing the above
actorless rules so that the proxies do not accidentally become
responsible for policing traffic where unnecessary.

Thank you,