Re: [Last-Call] [Wish] Httpdir last call review of draft-ietf-wish-whip-09
Darrel Miller <Darrel.Miller@microsoft.com> Sat, 14 October 2023 17:33 UTC
Return-Path: <Darrel.Miller@microsoft.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F455C1AE9F4; Sat, 14 Oct 2023 10:33:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PRWJ3eyNZbPS; Sat, 14 Oct 2023 10:33:12 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-dm3nam06on2113.outbound.protection.outlook.com [40.107.64.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD0A3C1AE9F6; Sat, 14 Oct 2023 10:33:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Bi0k5GLmBgZZgq8oFOWD/M1qBz+tyEDTGDNvjdhTS2j6fX2oGfDSXaBbBTLaTz6Fg+PSZWkqJegaDwK14R2ovfEB4zhuQzLLTVoNa/vt4gyDkTL2LflOZ1xWpXHCs8ggsR0BvBEkp554dTllc/GpJj+0CPGWrcTFNh9t0p4gvgPENPB8KHITEYU1DoWe1rjye/errq+Axk/a9LpPT5rLSPiNVCBR2L7OL5wbnR57Ui9pk4qrAu+ShPyLDofiP1mH2cq70ZDKIjZ+H+2XQek8i+phNJvPF3eh8FSysp9PuUcXHf+apIotIsCbDTbvfE3r1jo5tg8Oxb2W5OGr4tCD2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yvV+/HLoTMfni4fDXTlj1IzCQCWXng1b5T38dTr4hBY=; b=cj49MEPRFD1kC5naOScXAO9UM00OxSbE2AsmCyS2gKjmNRoA5Ph8gi3zOzI8//dUa8e8A9R9po+OlJrDEukTUPsvOb/rSgAL+/b27QTC/mcqp2s0/1iL/G6PU96rhlIWnoaK2cei9oBU4yQ2RcJYTwfEK2Sq8nBWUr4EZ+Uda5wS1rwU7G/BPD+SLTuAIMmvIiYeNraObgNhZupsZbIJsBMz07krFktVhPoKXTxMpdQVRnIg3cbE9NtxJ2Qw1QefDdPbU3ez63tIwT4qnnHKO7YcJcD/sCt70zg8gP/OsaBX7a0BHdIBHjADXGgzpePDmmiA8ekUg+TPGecMmvH2UA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yvV+/HLoTMfni4fDXTlj1IzCQCWXng1b5T38dTr4hBY=; b=CD+K0XrKocpi57QmMoifWKm3af5IwU8Pa8CeBEQBjlFxE/vIEuJyMB+31e8PnEEDjK8MxVQRspOU7gADk3y9E3g47UzXFNe5EMLuE2RhljvYRJkBP2clzKLqHsQzK5ol+ecCPC0SH8qhw3a7DxfT8fZI9ZVwjj3cDHj9rq65LBo=
Received: from CH2PR00MB0663.namprd00.prod.outlook.com (2603:10b6:610:a9::16) by SA1PR00MB1462.namprd00.prod.outlook.com (2603:10b6:806:29f::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6932.0; Sat, 14 Oct 2023 17:33:03 +0000
Received: from CH2PR00MB0663.namprd00.prod.outlook.com ([fe80::dff:fc2b:e033:69c5]) by CH2PR00MB0663.namprd00.prod.outlook.com ([fe80::dff:fc2b:e033:69c5%7]) with mapi id 15.20.6922.000; Sat, 14 Oct 2023 17:33:03 +0000
From: Darrel Miller <Darrel.Miller@microsoft.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, "draft-ietf-wish-whip.all@ietf.org" <draft-ietf-wish-whip.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "wish@ietf.org" <wish@ietf.org>
Thread-Topic: [Wish] Httpdir last call review of draft-ietf-wish-whip-09
Thread-Index: AQHZ9KDU1sgMlm6DPkuiGi6dhcy2HbA33VuAgBGgTZs=
Date: Sat, 14 Oct 2023 17:33:02 +0000
Message-ID: <CH2PR00MB0663141DA1563DC0C80A20D0F0D1A@CH2PR00MB0663.namprd00.prod.outlook.com>
References: <169618970987.57709.10135041088067281613@ietfa.amsl.com> <CA+ag07Yr2yQvXWEYwRj5dsnfc2bcX=KQvpGUUx9HWO3c7bV-4g@mail.gmail.com>
In-Reply-To: <CA+ag07Yr2yQvXWEYwRj5dsnfc2bcX=KQvpGUUx9HWO3c7bV-4g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2023-10-14T17:33:00.758Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH2PR00MB0663:EE_|SA1PR00MB1462:EE_
x-ms-office365-filtering-correlation-id: 62e3d481-3b80-4bac-2120-08dbccdb9e4c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hG58pJYNts2ZLh/kQV0sO2lqYTK46yD600DL+W3a8QFE5jR8TOnUIQiCKyxJowmFFfNCOuWWTwLsrzYWCoD5i5ff/ipE5t5iKUH5ZNXoBH+sVkfCkfu9Nt7TNq/w03dsbFR+JFDSPvcUoQiyQ1esGDlkhTQWBGsPV4YstZdBfYeBaskc7+c1Bi7UH/hrO/KQ6uVlPmMhiSasxEvtYuKpYoD3wQlkv2u6AVJ894zRE0u+P71SOx4gpRpW72+w7JyW9wgqMa7CLM0YBDB7tGXA85KKZ1P9QlR3jThi4Lg00tbMqZNBwE37efEbYFcbh1k09+6vbXzMue9JXzYWmxgi0Y/Wgyaw92304WzOep4w6vDHNr/lhgwHI8WYm9kshekmlOSPoaIC0YTpdbRoqxlv32Gut4n5oLYqu05SCO3qR61aSXX96QqX6hjXrJxYHuFgB1MmTAo5ZNLWvNCV0m8x2ZBmRjYvQcSdIYHZJZcnZiRnVZOqmeytHvTEHEAX+AO75NN4f4+y/QRicSRYb6qqy1/AOofInRJVVFQ5sh4obCkRs3dR/df5O/Zvr8HOPLyZ6jcmm9bkMNdx1B9bFwxsCk6ZTcrYRtlGXjRA6meNRbwDngMTToPlNwdPi8i1zj9dnhFPHL8YrreHkq/w/so83LHn9V9kFzwPeQ839qOYS7R3It9vvKmgy0a3KMYCSUeH
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR00MB0663.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(376002)(346002)(39860400002)(136003)(396003)(230922051799003)(186009)(64100799003)(1800799009)(451199024)(9686003)(966005)(10290500003)(1015004)(19627405001)(8936002)(8676002)(71200400001)(478600001)(4326008)(53546011)(7696005)(6506007)(55016003)(66476007)(66946007)(66446008)(6916009)(66556008)(64756008)(54906003)(316002)(86362001)(30864003)(166002)(26005)(38070700005)(38100700002)(2906002)(5660300002)(91956017)(33656002)(76116006)(82950400001)(82960400001)(8990500004)(122000001)(41300700001)(52536014)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0XNEFIQ/hOq4paOPG/UCLEtLQwQBsfGLW0sCwMiJZUUT9SpQkQ58MwX8YrxpNKDIDZPN3EMuyP/1EVEf8CkuHrC6S2chm+ObI+BCIuc+c6XbJnef6QckAV9RBSOEM/LKXjKLRhBwWyhzLdt1pnpsfjaihIl54+dRsyku3rr9XDTBRCiG+nTA5yj85+PXYZNp9/0NIgYyOR33kdVfQHxKJLiaPKcr5fLNaVIQUCfT02wLkeq3dhlUWOtPUepayGhfBhUl2VOB/pq0pQC923wA3HDJPqN6+Hrq6ZPe4a3sxAbLk/qDreP7gQaJqovs6+zLXn6sAPMCF7Qb30rTff2r2ci7R3vjuJ/iEj7iXvLie5HCShR17RJHMpw2miurWgoGzgZvCp1Gow8Xb2+6WXt+OYN3VWzGU2NkQs2UJi7ZdjXZyP4hDoDCI23/vaJXSikN8quUKGNal8d9NXo1EMH96oGQ+foz14mxTZGj6Jh5Z9/Ws53jX8T/tC1gOQSPShAzjaWat7O/tECfE62EPF1R4f2eRJTV5j1k3/yP+ZCzdsejqNMz71oKyUDxsiG25delVK8Ruw4gCD/kIf9lkrmhUVxmrbQlj2XPlZS714uXZ7OsG/AzTWnQxq9GeIZyhUl9j4VEwmtC3ArC0Q2FzqGWAyXWK0on1OWGlkDpgq6SY35YVm7+NPoSUulgVz517cDu0TiHk6v/ybg3lTkCd+Nc3M0lWovIINrJ0BCFjOVbacUb+4X6TfGSWftZZrahARs4e7PC9pd7Ke9dke03ll7GFM6Ku3z4zDJYx6N26G/Da0LDRC5UCmnhveDPeCPOvI+HaaN+qEV8l3PQTSPz19EWVL//AlYMTKlM8XPly8Cwjy8nqVjcNo8uEzHIVkZleBlBeQU4uaUklCpesWq9/s0QBcpS4FZHpt4UXB70dyegpC9m0oLjUxbO2a1Rah6I43aYQ3YFHPcuoJMk3syjlziTkjRwnHqcetPObWmunzXZ3gtQRELZU59AzPGnWno2RfYEaq/9bMwLHmKR1l5U7pxLf26DzXA+SwMw0663a7Ng4wnwGsCC+r1lkwB+AcRzbNuRjrpvAwXK1ZQEqmOhnBAlYzV27z9O6dbgmZyC7UD0oG3Q+r3lb09yhs2P9f0JnegnOq6cHkcP5xjIffChef4dk8eBwODpGZ3DTS2UA9Nduwj2UO3BYqvfQuAxiUm6iLoNnU6TyziMddIAFf1YKC3+X6lZ6bKBOYW92LqFv3A8qpoCRYvJIHOlTniblgjmo1NX5EPLXkoo+8pxo1k4khiP9DJkBCx29eowPtun6bY+6lHjzBQSJLWX9U2dOZq8hrGZh1rjKyFR+w87vqYz88jDs+DS+5I5I1ONQTjkRk5H/Xm4hLY52Yc1J5v2L40btXRVE82hGyTGpoHH9RjsePHvD+GpengI2UWL6XA0Njt/UUy9k4ieJClT9EBSFXJCzduJfYmPacOHld3IQmytIujTg4EEvY96p5YsAFasQ/AuN2Nac8sSRFGdHfUIazKGXCUUCChfJPjOBh2QAttU1a+tkxm9Vb03R96drOv1F+qonKw=
Content-Type: multipart/alternative; boundary="_000_CH2PR00MB0663141DA1563DC0C80A20D0F0D1ACH2PR00MB0663namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR00MB0663.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 62e3d481-3b80-4bac-2120-08dbccdb9e4c
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Oct 2023 17:33:02.8192 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CHegmTi4z6gOhdPl4C9W7drUVVhy/1FCm0hxT3m+wvO5lkjjML1XLwmn49ncRFFyVULytffsDgshr4zwcCs8ig==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR00MB1462
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/Cng133Wx8gDdMBoA_7FzaggJp2E>
Subject: Re: [Last-Call] [Wish] Httpdir last call review of draft-ietf-wish-whip-09
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Oct 2023 17:33:16 -0000
Hi Sergio, > the term Endpoint is quite established in rest APIs and I would prefer to keep it. I agree that is used extensively. In my experience I have seen it inconsistently. This article tries to explain what it is https://www.cloudflare.com/en-ca/learning/security/api/what-is-api-endpoint/ but what it seems to be describing is a resource. As I don't have a significantly better suggestion, I withdraw my objection. > Given that there is no normative language in the paragraph would you be ok to keep it but adding a reference to the proper specification of how to perform an HTTP POST correctly? That seems like a reasonable compromise. I would ask that you emphasise where this document defines further constraints on what RFC 9110 specifies. > Could it be possible to use 422 Unprocessable Content instead? If you believe that returning a 422 will allow clients to do something different than they would if they received a 400, then I have no objection to using 422. 400 is a generic catch all for any 4XX class error, so there is nothing semantically incorrect with using 400, it just isn't very specific about the problem. If you want to attach some specific semantics to 422 within the WHIP protocol, that can be used by the client, then that is reasonable. > I am concerned that we won't have a compliant implementation doing etags correctly if we don't describe the process in detail here. > Which parts of the paragraphs are you more concerned about, and is any of the mandatory text going against the conditional request spec? I'm concerned that I can't tell whether I just need to use an Etag to make a conditional request, as I would with any other HTTP API. I have to go through the effort of reconciling the words in this paragraph with those in RFC9110 to know if this protocol layers on new constraints. This is made more difficult by the fact that it has four MUSTs in the paragraph and finishes with a statement that invalidates the MUSTs. I have attempted to reword the paragraph with this: DM> WHIP sessions that support ICE restarts MUST return a strong ETag as per [RFC9110] Section 8.8.3 in a successful response to a POST to the WHIP Endpoint. DM> Successful PATCH requests to WHIP sessions that trigger a restart MUST return an updated ETag. This rewording made me ask the question, what happens when a PATCH doesn't trigger a restart. Then I read your response to my last concern and I realized that the protocol is suggesting that a PATCH that doesn't trigger a restart returns a 204 and does not include a Etag. I had not realized this on first read but it is directly related to my comment that layering addition semantics onto 200 vs 204 is not advisable. I would recommend clarifying the unusual handling of Etags with an additional sentence like : DM> Successful PATCH requests to WHIP sessions that do not trigger a restart MUST not return an updated ETag. Regarding the use of 200 vs 204 to convey two distinct server behaviors, I personally do not like it and I think people will find it confusing. However, I cannot point you to a specification that says you must not do this. I would highly recommend emphasizing these two distinct interactions. Maybe you could create two headings, one for "WHIP Session update with restart" and one for "WHIP Session update without restart". I don't think I really understand the scenario well enough to suggest solutions, but I would ask why not use a weak validator that conceptually corresponds to the session identifier and therefore could be returned unchanged when doing a PATCH that doesn't do a restart. That way a PATCH could always return a 200. Or return whatever the client asks for using the prefer header. > I would prefer to keep 400 for sdp parsing errors, could we use 422 Unprocessable Content instead? The SDP is valid, but the semantics aren't. Ok. But I would suggest you consider what the client is going to do differently when it processes SDP parsing errors vs SDP semantic errors. Are there actually two code paths? > Would it be fine to remove the normative language on the second part and maybe just state that the "WHIP clients MUST support HTTP redirection" and referencing the http specs for the proper error codes? That seems like a reasonable compromise. Section 4.5 This section said that WHIP clients MUST implement HTTP Auth using a bearer token, but prescribes no constraints on what kind of bearer token. Considering this open ended security definition, what is the benefit of preventing the use of other HTTP Auth schemes such as the ones registered here https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml ? > Interoperability. The implementators of the WHIP clients are not going to be the users of them, and they should be able to interoperate with any WHIP service., so I need to specify at least a common authentication method. > Nothing precludes WHIP clients to add more authentication methods if they want. There is really nothing interoperable about requiring the bearer authentication scheme, other than the keyword in the auth header. The text states that the auth scheme MUST be "bearer". That does preclude clients adding more authentication methods. Regards, Darrel ________________________________ From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Sent: Tuesday, October 3, 2023 6:21 AM To: Darrel Miller <Darrel.Miller@microsoft.com> Cc: ietf-http-wg@w3.org <ietf-http-wg@w3.org>; draft-ietf-wish-whip.all@ietf.org <draft-ietf-wish-whip.all@ietf.org>; last-call@ietf.org <last-call@ietf.org>; wish@ietf.org <wish@ietf.org> Subject: Re: [Wish] Httpdir last call review of draft-ietf-wish-whip-09 Hi Darrel, Thank you very much for your review and comments. I will try to answer some of them inline, but probably will have to start a new thread with some of them as I expect quite a bit of discussion before getting to an agreement. On Sun, Oct 1, 2023 at 9:48 PM Darrel Miller via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote: Reviewer: Darrel Miller Review result: Almost Ready I reviewed this document as part of the HTTP Directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the HTTP Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. Summary: Has Issues Major Concerns Section 2: Terminology Considering this is a protocol layered on top of HTTP it would be useful to be consistent with HTTP terminology. "Endpoint" is not a term defined in HTTP, but "resource" is. Calling two distinct protocol concepts "WHIP Endpoint" and "WHIP Resource" is confusing from an HTTP perspective as they are both HTTP resources. Based on my reading, and limited understanding of the domain, terms such as "WHIP Session Factory" and "WHIP Session" would be more appropriate for these resources. While the "WHIP Endpoint" is acting as a WHIP session/resource factory, the term Endpoint is quite established in rest APIs and I would prefer to keep it. I understand the concern about the WHIP resource, and I wouldn't mind changing it to WHIP session to avoid the naming collision with HTTP resources. Section 4 : Protocol Operation The second paragraph describes how to create a session resource using HTTP POST. This is standard HTTP behaviour and should not be respecified here. For example, simply saying, "HTTP POST request is used with application/sdp content to create a WHIP session resource" should be sufficient. I have received comments in the opposite direction in the past about not being described enough with how the protocol operates. Also some of these texts came from early implementations doing crazy things for the HTTP POST Given that there is no normative language in the paragraph would you be ok to keep it but adding a reference to the proper specification of how to perform an HTTP POST correctly? It is not clear to me if the response returned is a "status of the request" as per RFC9110 or a representation of the "WHIP Resource" pointed to by the Location header. If it is the latter, then including a Content-Location header would be useful to clarify this. I have not found the definition of the "status of the request" anywhere, but the SDP answer is definitely not a representation of the WHIP Resource/Session, so I would say it is the former. 4.1. ICE and NAT support > If the WHIP resource supports either Trickle ICE or ICE restarts, but not both, > it MUST return a "405 Not Implemented" response for the HTTP PATCH requests that are not supported. "405 Not Implemented" appears to be a mistake. I presume this should say "405 Not Allowed" However, this does not seem like the appropriate status code. Per the text, PATCH is definitely supported. However, the specific request being made with PATCH is not allowed. This seems more like a 400 Bad Request or possibly a 409 conflict. The second case when PATCH is not supported for any purpose seems more suited to returning "405 Not Allowed". 501 Not Implemented is recommended for use when no resource on the origin server supports the method. That does not seem to be the case here. Changing the 501 by a 405 makes sense. In case of the server supports PATCH for certain ICE operations, but not for others, sending a 400 bad request doesn't seem appropriate: > The 400 (Bad Request) status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing). Neither 409, as the client can't really solve the conflict (as there is no conflict). Could it be possible to use 422 Unprocessable Content instead? The paragraph that describes using conditional requests, should state that PATCHing a WHIP Resource MUST use conditional requests using a strong eTag and not attempt to respecify how conditional requests work. I am concerned that we won't have a compliant implementation doing etags correctly if we don't describe the process in detail here. Which parts of the paragraphs are you more concerned about, and is any of the mandatory text going against the conditional request spec? Also, the "WHIP Resource" should return a 428 to indicate a missing eTag header. Will add it, thank you! The latter part of the paragraph seems to contradict the earlier part of the paragraph by stating that conditional requests are only sometimes required. Perhaps what this paragraph is trying to say is "if the WHIP Endpoint returns an eTag when creating the session, then a client MUST PATCH the session using that eTag in a conditional request header". Yes, but also mandate that the whip server must use conditional requests if it supports ice restarts. In general, using status codes 200 and 204 to communicate different application success semantics seems like a stretch of HTTP semantics. e.g. 200 means successful ICE restart but 204 means a successful or partially successful addition of candidates without a restart. PATCH is designed to be used with "PATCH aware" media types and application/trickle-ice-sdpfrag does explicitly call out how it behaves with the PATCH method. One alternative would be to create an "envelope type" PATCH aware media type that contains the application/trickle-ice-sdpfrag content but also has place to communicate the kind of application semantics that are currently being tunneled via HTTP status codes. For example, what would happen if it became desirable to communicate to a client which candidates were not able to resolve a connection address? The current choice to use 204 means it is not possible to return information in the response body to communicate this failure. Not sure if I understand this in full. But let me add some clarifications: - There is no possible failure when adding remote candidates as it just means that the ICE agent will start performing a connectivity check but does not change the status of the ICE agent. It is perfectly fine for those ice candidates checks to fail. Moreover, an initial check doesn't preclude a failure later on. - And ICE restart changes the state of the ICE agent, and a new username/frag must be communicated back to the client Due to that we use 200 ok for ice restarts (with body) and 204 for trickle ice (without body). Section 4.2 "406 Not Acceptable" error response should not be used to indicate bad request content. A 400 status code is more appropriate. I would prefer to keep 400 for sdp parsing errors, could we use 422 Unprocessable Content instead? The SDP is valid, but the semantics aren't. Section 4.3 > WHIP clients SHALL support HTTP redirection via the "307 Temporary Redirect" > In case of high load, the WHIP endpoints MAY return a "503 Service Unavailable" response indicating that the server is currently unable to handle the request due to a temporary overload or scheduled maintenance, which will likely be alleviated after some delay. The WHIP endpoint might send a Retry-After header field indicating the minimum time that the user agent ought to wait before making a follow-up request. This content seems appropriate for a best practices or implementers guide and not normative text. What is being described is standard HTTP behaviour and does not need repeating. The danger of repeating subsets of HTTP language in normative text is that it raises questions such as "Can I return 301 instead of 307?" "Should the client expect to get a 502 instead of 503?" This document should limit itself to including text that further constraints the use of HTTP. Would it be fine to remove the normative language on the second part and maybe just state that the "WHIP clients MUST support HTTP redirection" and referencing the http specs for the proper error codes? Section 4.5 This section said that WHIP clients MUST implement HTTP Auth using a bearer token, but prescribes no constraints on what kind of bearer token. Considering this open ended security definition, what is the benefit of preventing the use of other HTTP Auth schemes such as the ones registered here https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml ? Interoperability. The implementators of the WHIP clients are not going to be the users of them, and they should be able to interoperate with any WHIP service., so I need to specify at least a common authentication method. Nothing precludes WHIP clients to add more authentication methods if they want. Nits: Section 2: Terminology It would be good to add definitions of ICE, SDP, DTLS to the terminology section. SDP is defined in the introduction but ICE and DTLS isn't . The definition of WHIP Endpoint and WHIP Endpoint URL seems redundant. Same for WHIP Resource. All HTTP resources have URLs. There isn't usually a need to describe the URL independently. This was raised by other reviews too, I have a tentative change here: https://github.com/wish-wg/webrtc-http-ingest-protocol/pull/130/files Would this be better to you? Section 4.1: ICE and NAT Support A reference for ICE ufrag/pwd pair would be helpful. References to RFC 9110 section 3.1 should be to section 13.1 Will add them Section 4.7 I believe "and the URI for the HTTP resource" should be "and the URL for the HTTP resource". Will change it. Best regards Sergio
- [Last-Call] Httpdir last call review of draft-iet… Darrel Miller via Datatracker
- Re: [Last-Call] [Wish] Httpdir last call review o… Sergio Garcia Murillo
- Re: [Last-Call] [Wish] Httpdir last call review o… Darrel Miller