Re: [core] Last Call: <draft-ietf-core-etch-02.txt> (Patch and Fetch Methods for Constrained Application Protocol (CoAP)) to Proposed Standard

"Roy T. Fielding" <> Fri, 26 August 2016 20:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 66C4312D82A; Fri, 26 Aug 2016 13:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id p0NpddZ7rm3S; Fri, 26 Aug 2016 13:40:04 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8E50F12B02F; Fri, 26 Aug 2016 13:40:04 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id D4F45801B02E; Fri, 26 Aug 2016 13:40:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=content-type :mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to;; bh=xJz+DniU1Gv/w07tfAEw/7GHDEI=; b=rIuQmAIjUwhSM5x48fUwT47UHi0g GJv7J/bK0S4I2A88XP9TIRY6ZnByk772itt6HWBccOqEGNab/+U2Kkq2WZG/GUKW mbf0J7y9uYf7bJKyVNN/FOifbqkt7Fb0C4BaxYQPpQ1VPTShxWRJ26Um1Q8YwJTx KyxX8LIMK/tM79k=
Received: from [] ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id A8ABF801B00C; Fri, 26 Aug 2016 13:40:03 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Subject: Re: [core] Last Call: <draft-ietf-core-etch-02.txt> (Patch and Fetch Methods for Constrained Application Protocol (CoAP)) to Proposed Standard
From: "Roy T. Fielding" <>
In-Reply-To: <>
Date: Fri, 26 Aug 2016 13:40:03 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <>
References: <> <> <>
To: Carsten Bormann <>
X-Mailer: Apple Mail (2.2104)
Archived-At: <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Aug 2016 20:40:06 -0000

> On Aug 24, 2016, at 10:54 PM, Carsten Bormann <> wrote:
> "Roy T. Fielding" <> writes:
>>> The document has a reference to obsolete RFC 2616, this is intentional.
>> What is that supposed to mean?  The reference is intentionally wrong?
> RFC 7252 is referencing RFC 2616 for its security considerations,
> because the RFC 723x series wasn't out yet at the time CoAP was
> completed.  draft-ietf-core-etch references RFC 7252 for its security
> considerations.  This implies a reference to RFC 2616 as well, which we
> decided to make explicit (it's hard to be explicit enough about security
> considerations).  We could change that to leave it implicit, rendering
> the downref less visible.

If you think security considerations are important, they should be included
in the draft and specific to the additions made by that draft.  Specifying
them by reference to HTTP would have made sense if you had specified CORE
semantics by reference to HTTP (instead, the method definitions were copied,
which creates a fork of the protocol).

Regardless, this draft does not change the security considerations of RFC7252
(nor 2616, nor 7230).  There is no reason to reference considerations that
are not applicable to the *changes* introduced by this draft. 7252 is already
a normative requirement and its normative dependency on 2616 is not changed
by 2616 becoming obsolete -- the text is effectively imported by reference.

If there are NEW security considerations introduced by ONLY the addition
of these two methods to the semantics of CORE, then that is what should
be in the security considerations of this draft.  Just that and a generic
link to RFC7252's security section.  Nothing else.

>> I looked at the text and it should be referencing section 9 of RFC7231,
>> not section 15 of RFC2616.  Just fix the reference or remove it entirely
> While we could add RFC 7231 to the above reference (which, as I said is
> already implicitly there), a single security considerations section out
> of one of the RFC 723x documents does not cover the entire security
> considerations of RFC 2616 (e.g., section 15.7 does very much apply,
> some of which seems to have been moved to RFC 7234).  Do you see
> anything specific in RFC 7231 that we should cover that isn't mentioned
> in RFC 2616?

It doesn't matter -- they are not relevant to these two methods.
If there is something relevant from HTTP caching, then just copy
the text and make it specific to these two methods.

HTTP semantics could have been used verbatim by CORE, without any
changes, so a normative reference to RFC 7231 (HTTP Semantics) would
have been appropriate IF the CORE methods and status codes were specified
by reference and not forked into your spec.

My long-term advice would be to delete 50% of CORE spec and replace
that with normative references to HTTP, but I wouldn't bother until after
HTTP/1.1 advances to Standard status.

> We could use draft-ietf-core-etch more or less randomly as the point
> where we finally clean up the editorial issues caused by the sharding of
> RFC 2616.  The authors so far did not see a reason to do that exactly in
> this document, which describes functionality not really touched by that
> sharding.  Should we, anyway?

No, we can't make updates to a proposed standard more or less randomly.
They have to be within scope and reviewed by the right folks.
Method specs (which define optional features to be deployed at leisure)
are not the place to make updates to the underlying protocol.
People who are not implementing a given method should feel free to
ignore its specification.

I would actually go further and say that these two methods should have
been specified in two separate documents, but it's far too late for that


Roy T. Fielding                     <>
Senior Principal Scientist, Adobe   <>