Re: [secdir] SecDir review of draft-loreto-http-bidirectional-05

[Peter Saint-Andre <stpeter@stpeter.im>]

Done.

On 1/3/11 12:17 PM, Peter Saint-Andre wrote:
> Super. We'll push out a revised I-D in the next day or two.
> 
> On 1/3/11 12:05 PM, Laganier, Julien wrote:
>> Thanks Pete, what you propose below seems appropriate.
>>
>> --julien
>>
>> Peter Saint-Andre wrote:
>>>
>>> Thanks for your review, and our apologies for the delayed reply.
>>>
>>> On 12/16/10 9:38 AM, Laganier, Julien wrote:
>>>> I have reviewed this document as part of the security directorate's
>>>> ongoing effort to review all IETF documents being processed by the
>>>> IESG.  These comments were written primarily for the benefit of the
>>>> security area directors.  Document editors and WG chairs should treat
>>>> these comments just like any other last call comments.
>>>>
>>>> The document describes "Known issues and best practices for the Use
>>>> of Long Polling and                    Streaming in Bidirectional
>>>> HTTP", and it has the following abstract:
>>>>
>>>> There is widespread interest in using the Hypertext Transfer
>>>> Protocol (HTTP) to enable asynchronous or server-initiated
>>>> communication from a server to a client as well as from a client to a
>>>> server.  This document describes the known issues and the best
>>>> practices related to the use of HTTP, as it exists today, to enable
>>>> such "bidirectional HTTP".  The two existing mechanisms, called "HTTP
>>>> long polling" and "HTTP streaming" are described.
>>>>
>>>> The document is very clear and articulate and I have not found any
>>>> security issues that were not covered appropriately in the Security
>>>> Considerations sections.
>>>>
>>>> I have two concerns regarding the use of "should", "must" etc.:
>>>>
>>>> 1. I have found at least one occurrence where a recommendation is
>>>> made using lower cases "recommended" and "should". Should upper cases
>>>> be used instead?
>>>
>>> Currently this document does not reference RFC 2119 or use capitalized
>>> keywords. Instead of adding such a reference, I suggest changing that
>>> text to:
>>>
>>>    Several experiments have shown success with timeouts as high as 120
>>>    seconds, but generally 30 seconds is a safer value.  Therefore
>>>    vendors of network equipment wishing to be compatible with the HTTP
>>>    long polling mechanism are advised to implement a timeout
>>>    substantially greater than 30 seconds (where "substantially" means
>>>    several times more than the medium network transit time).
>>>
>>>> 2. Similarly, parts of the text describes node behavior using lower
>>>> cases "should" and "must". This makes it hard for the reader to
>>>> differentiate between behavior specified in another standard document
>>>> from behavior that can be reasonably expected from a deployed
>>>> implementation. I would suggest that upper case requirements key
>>>> words ("SHOULD", "MUST") be used if the behavior thereby enounced is
>>>> specified within another RFC documents, and that document be cited
>>>> next to the statement.
>>>
>>> The sentences you mention indeed simply cite other RFCs. Because the
>>> actual normative text is contained in the referenced RFCs, I suggest
>>> that we remove the lowercase "should" and "must" words from this I-D.
>>>
>>>> Nits:
>>>>
>>>> s/DOS attacks\.[RFC4732]/Denial-of-Service (DoS) attacks [RFC4732]/
>>>
>>> Fixed.
>>>
>>> Peter
> 


-- 
Peter Saint-Andre
https://stpeter.im/