[hybi] -09: abstract and introduction
Peter Saint-Andre <stpeter@stpeter.im> Wed, 15 June 2011 21:10 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73BF111E8080 for <hybi@ietfa.amsl.com>; Wed, 15 Jun 2011 14:10:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wd5ugiL8CpmX for <hybi@ietfa.amsl.com>; Wed, 15 Jun 2011 14:10:44 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 0571B228005 for <hybi@ietf.org>; Wed, 15 Jun 2011 14:10:44 -0700 (PDT)
Received: from leavealone.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 5D4A1400A5 for <hybi@ietf.org>; Wed, 15 Jun 2011 15:11:00 -0600 (MDT)
Message-ID: <4DF91FCA.8060403@stpeter.im>
Date: Wed, 15 Jun 2011 15:10:34 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: "hybi@ietf.org" <hybi@ietf.org>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms010503060100060909000309"
Subject: [hybi] -09: abstract and introduction
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 21:10:45 -0000
I've started reviewing -09. For several reasons (mostly because my review time keeps getting interrupted), I'll provide feedback by section. This set of comments is mostly editorial. The abstract seems over-specific. I suggest deleting the parentheticals and putting them in a slightly-longer first paragraph in the intro (before Section 1.1). Section 1.1 has always struck me as strange. It sounds as if we're developing an IM protocol here! I suggest: Historically, creating Web applications that need bidirectional communication between a client and a server (e.g., instant messaging and gaming applications) has required an abuse of HTTP to poll the server for updates while sending upstream notifications as distinct HTTP calls. [RFC6202] I think it would also be helpful to provide an additional paragraph at the end of Section 1.1 with a bit of justification for why people who want to write bidirectional Web applications can't simply use existing application protocols such as IRC and XMPP. Yes, port 80 is the one true port, and developers complain that it would be a pain to build protocols like IRC and XMPP directly into a browser, but nothing says it's impossible. BTW [I-D.ietf-httpstate-cookie] is now [RFC6265] (thanks, Adam!). Section 1.3 says: If the server does not wish to accept connections from this origin, it can choose to reject the connection by sending an appropriate HTTP error code. Which code? Section 1.3 says: A JavaScript application cannot set a header starting with "Sec-" via XHR. Why not? What is the nature of the restriction? Section 1.3 says: If the |Sec-WebSocket-Accept| value does not match the expected value, or if the header is missing, or if the HTTP status code is not 101, the connection will not be established and WebSocket frames will not be sent. Do we really mean the following? If the |Sec-WebSocket-Accept| value does not match the expected value, or if the header is missing, or if the HTTP status code is not 101, the browser MUST NOT establish the connection and MUST NOT send WebSocket frames. Section 1.4 uses the term "man-in-the-middle proxies". The term "man in the middle" might lead people to think of man-in-the-middle attacks as in RFC 4949 (BTW, an informational reference to RFC 4949 would be good in Section 2.1). I suggest "middlebox proxies" or "intermediate proxies" or some more neutral term. In Section 1.5, I suggest... OLD: It is expected that metadata would be layered on top of WebSocket by the application layer, in the same way that metadata is layered on top of TCP by the application layer (HTTP). NEW: It is expected that metadata would be layered on top of WebSocket by the application layer, in the same way that metadata is layered on top of TCP by the application layer (e.g., HTTP). This paragraph is hard to read: Conceptually, WebSocket is really just a layer on top of TCP that adds a Web "origin"-based security model for browsers; adds an addressing and protocol naming mechanism to support multiple services on one port and multiple host names on one IP address; layers a framing mechanism on top of TCP to get back to the IP packet mechanism that TCP is built on, but without length limits; and includes an additional closing handshake in-band that is designed to work in the presence of proxies and other intermediaries. Other than that, it adds nothing. Basically it is intended to be as close to just exposing raw TCP to script as possible given the constraints of the Web. It's also designed in such a way that its servers can share a port with HTTP servers, by having its handshake be a valid HTTP Upgrade request mechanism also. I suggest breaking it up into bullet points: Conceptually, WebSocket is really just a layer on top of TCP that does the following: * adds a Web "origin"-based security model for browsers * adds an addressing and protocol naming mechanism to support multiple services on one port and multiple host names on one IP address; * layers a framing mechanism on top of TCP to get back to the IP packet mechanism that TCP is built on, but without length limits * includes an additional closing handshake in-band that is designed to work in the presence of proxies and other intermediaries Other than that, WebSocket adds nothing. Basically it is intended to be as close to just exposing raw TCP to script as possible given the constraints of the Web. It's also designed in such a way that its servers can share a port with HTTP servers, by having its handshake be a valid HTTP Upgrade request mechanism also. Section 1.7 says: By default the WebSocket protocol uses port 80 for regular WebSocket connections and port 443 for WebSocket connections tunneled over TLS [RFC2818]. I know this has been discussed on the list, but how can an entity discover if WebSocket is offered on ports other than 80/443? Would the web server use a redirect to do that? Could it define SRV records? Section 1.9 says: These subprotocol names should be registered as per Section 11.10. To avoid potential collisions, it is recommended to use names that contain the domain name of the subprotocol's originator. Following the trail, we find this in Section 11.10: Subprotocol Identifier The identifier of the subprotocol, as will be used in the Sec- WebSocket-Protocol header registered in Section 11.9 of this specification. The value must conform to the requirements given in Paragraph 10 of Paragraph 4 of Section 5.1 of this specification, namely the value must be a token as defined by RFC 2616 [RFC2616]. In RFC 2616 we find: token = 1*<any CHAR except CTLs or separators> And in RFC 5234 we find: CHAR = %x01-7F ; any 7-bit US-ASCII character, ; excluding NUL So a Subprotocol Identifier is limited to 7-bit ASCII. Given that the domain name of the subprotocol's originator might be an IDNA, how will the originator be able to include their domain name in the identifier? This needs to be specified. More soon. Peter -- Peter Saint-Andre https://stpeter.im/
- [hybi] -09: abstract and introduction Peter Saint-Andre
- Re: [hybi] -09: abstract and introduction Iñaki Baz Castillo
- Re: [hybi] -09: abstract and introduction Iñaki Baz Castillo
- Re: [hybi] -09: abstract and introduction Peter Saint-Andre
- Re: [hybi] -09: abstract and introduction Iñaki Baz Castillo
- Re: [hybi] -09: abstract and introduction Iñaki Baz Castillo
- Re: [hybi] -09: abstract and introduction Simon Pieters
- Re: [hybi] -09: abstract and introduction Iñaki Baz Castillo
- Re: [hybi] -09: abstract and introduction Iñaki Baz Castillo
- Re: [hybi] -09: abstract and introduction Greg Wilkins
- Re: [hybi] -09: abstract and introduction Peter Saint-Andre
- Re: [hybi] -09: abstract and introduction Alessandro Alinone
- Re: [hybi] -09: abstract and introduction Salvatore Loreto
- Re: [hybi] -09: abstract and introduction Alexey Melnikov