Re: [secdir] Secdir last call review of draft-nottingham-rfc5785bis-08

Mark Nottingham <> Mon, 04 February 2019 23:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CF53A129A87; Mon, 4 Feb 2019 15:31:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=ZuOSktIy; dkim=pass (2048-bit key) header.b=i43yfQ/O
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wwxWFoHXRlNv; Mon, 4 Feb 2019 15:30:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7353A1294FA; Mon, 4 Feb 2019 15:30:55 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 7707F21F85; Mon, 4 Feb 2019 18:30:54 -0500 (EST)
Received: from mailfrontend2 ([]) by compute3.internal (MEProxy); Mon, 04 Feb 2019 18:30:54 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm1; bh=c bgrPwFVadIjhe8NKE8Mn7wWY+AaF8p+g6Jy6EIxwb4=; b=ZuOSktIy1NGeARg+8 fspt5+pGUkj8LCgnVGIfQswPfwRjXgSJAg0/LOgkdnlmO3uH2T5fyaWWgfuhcUh4 /nzJcmlDX02pRy3PkKv0XS7aedt7LaFC9CTUdhCkthxXjZHwCLdFARZek0MIDSVJ dgiyJCfEMfw5EsmCYwwgr5CJ1DqFa0FhYe+xWZmEJ1pZR0BH5bGFHPTeqakBC6XU BtfCp4tkMTr3HFhSr+C9r+gEjxoXnfA/KZi4qLKGzUNFEChtHJ8OYAnvn6LP0wJK 2/xWAfsY1ddkEsHJNSQQbQcNgcgkvLk/W3LcT5YqxdmF/2g7gAZxmBwAqEYCnpWn shVGQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=cbgrPwFVadIjhe8NKE8Mn7wWY+AaF8p+g6Jy6EIxw b4=; b=i43yfQ/OtMB6rtHUT1OSmC2AoyRu4oMthdCOJCvzhgcku0f2GLZzlVq+g 8jGI6vfqWMxbrtyUvIeN53RKPsFdji/X5up7n1Ki3KOflScoXvdAyPd3Pf0NfMdi dfcUcSVXcFGh6tMmWixdKxk8nwwEF4qWWsqbq0BjiNOMUb7e44rM+jGSdNXT+0Ie 1uFaibAeRyV7oMAC2Frw8LFMdYasIDBwbO8nmFkGbssQ08MG4zrYSl1rNKnG4w3E +/id/8I3j/nOX6DgCAtsE7xX8igqk4mzYihIxAw6I3dvk82Zsh5tglCDAIA1M8CG u8AuunUZs1wCLjRYf6vzP5UTvU8gA==
X-ME-Sender: <xms:LctYXGRfdytPkOTNwibTrP88g6Y2OxP_m_ggpeX93ZIVdREWrsrH5w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrkeehgdduudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecufedt tdenucenucfjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpe forghrkhcupfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuffho mhgrihhnpehivghtfhdrohhrghdpmhhnohhtrdhnvghtpdhirghnrgdrohhrghenucfkph epudeggedrudefiedrudejhedrvdeknecurfgrrhgrmhepmhgrihhlfhhrohhmpehmnhho thesmhhnohhtrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:LctYXOEZsQYsiQMf5QLjqTEDCXpXa_Ms-TZNlyT1jWbIteslODrm8g> <xmx:LctYXCiI5wwIe-kCj2Uqoj92IDvdbKGhj40bO33TDlWBXKTOnpCYPQ> <xmx:LctYXO_-9TDVaCilEHeYVNNGUDvPbDZIp1nMf8zGNh5l1MJAV91zbg> <xmx:LstYXEjyC2J78_BM0f_hXc0FtOJ2hlofm7JUVdsQzpmQS85BdYER3g>
Received: from (unknown []) by (Postfix) with ESMTPA id EDA7910310; Mon, 4 Feb 2019 18:30:50 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Mark Nottingham <>
In-Reply-To: <>
Date: Tue, 05 Feb 2019 10:30:46 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Kathleen Moriarty <>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <>
Subject: Re: [secdir] Secdir last call review of draft-nottingham-rfc5785bis-08
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Feb 2019 23:31:02 -0000

Hi Kathleen,

Thanks for the thorough review. Responses below.

> On 31 Jan 2019, at 3:28 am, Kathleen Moriarty <> wrote:
> Reviewer: Kathleen Moriarty
> Review result: Has Nits
> Thank you, Mark and others for your work on this document to update the
> specification.  My comments are mainly requests for clarity in the document and
> text suggestions are provided to hopefully make this as easy as possible.
> 1. Section 3: Nit:
> In my opinion, the flow would be improved if the third paragraph came before
> the current second paragraph.
> 2. Could you provide a transitional sentence between the current second
> paragraph and the instructions that follow since the current second paragraph
> points to following section 5.1 for instructions, but paragraph 4+ include
> instructions or guidance followed by additional helpful information.  I think a
> slight adjustment as follows to accomplish this would be quite helpful to the
> reader:
>   Applications that wish to mint new well-known URIs MUST register
>   them, following the procedures in Section 5.1 and the following requirements.

All of the above incorporated, the latter with a minor adjustment. Thanks.

> 3. Section 3.1 says:
> The "Well-Known URIs" registry is located at
>   "".  Registration
>   requests can be made by following the instructions located there or
>   by sending an email to the "" mailing
>   list.
> I'm not clear on the instructions as I follow the link to the registry and
> there's a pointer to the RFC that this document will obsolete.  I'm assuming
> that the reference will be replaced with this document.  Is that the case or
> are there additional instructions than what will be included directly in the
> registry?  If they are repeated (I don't see an IANA request for that action),
> that is fine, but I think it's a little confusing to send someone to that link
> if they are already reading this document.  This document is also going through
> a review process to update that registry, so if instructions were maintained at
> the registry URL, what would be the review process to alter the instructions? 
> I'm assuming that this sentence just should be removed, but if not, I'd like to
> understand the update process for that registry (instructions for registering
> values not adding them).  If the sentence should be changed, I suggest
> something like:
>   The "Well-Known URIs" registry is located at
>   "".  Registration
>   requests can be made by following the instructions in this document and
>   sending the email to the "" mailing
>   list.

After extensive consultation with IANA regarding RFC8288's revision of registration policy, the outcome was that this level of detail / instruction is unnecessary; the text at the top of a registry page can be tweaked by the Experts by asking IANA, and if they have concerns they can take it up with the IESG as necessary.

Personally I was a bit surprised by this, but also relieved; getting this sort of thing *exactly* right in an RFC is difficult, and we need the flexibility to change things (e.g., we're currently using a Github issue queue to collect registration requests there, but that might change in the future).

> 4. Question on Change controller: Is it possible to successfully make a request
> through an experimental track RFC or standards track only?  If experimental is
> allowed, can it only be provisional?

The registry is Specification Required, so an experimental RFC can indeed make a registry. It can be 'standard' if it meets this bar: "Other values can also be registered as permanent, if the Experts find that they are in use, in consultation with the community."

> 5. Section 3 has the following sentence:
>   General requirements for registered relation types are described in
>   Section 3.
> Did the document in a previous revision contain something in section 3 about
> registered relation types or am I missing something when reading section 3
> (which is entirely possible)?  If it were there (or maybe was in a previous
> revision), I'd expect to see it in the following paragraph, but could see the
> above text being dropped as an answer to this question as well (unless I am
> missing something):
>   It MAY also contain additional information, such as the syntax of
>   additional path components, query strings and/or fragment identifiers
>   to be appended to the well-known URI, or protocol-specific details
>   (e.g., HTTP [RFC7231] method handling).

Section 3 puts requirements on choosing a registered name, both syntactically and with a more general SHOULD about how to choose a good name.

> 6. Section 3.1:  Is the following referring to IETF standards-track documents
> or could other standards from other SDOs (or some other constraint) be included?
>   Standards-defined values have a status of "permanent".  Other values
>   can also be registered as permanent, if the Experts find that they
>   are in use, in consultation with the community.  Other values should
>   be registered as "provisional".

The intent was values defined by Open Standards, in the sense of RFC2026, 7.1.1. I'll clarify this, thanks.

> I'm guessing a standards track RFC is not necessary for standards track because
> of the next paragraph in this section, but maybe some added text would help to
> clarify the above paragraph?
>   Provisional entries can be removed by the Experts if - in
>   consultation with the community - the Experts find that they are not
>   in use.  The Experts can change a provisional entry's status to
>   permanent at any time.

Except for the issue above, I don't see how this is unclear; if a value is defined by a standard, it is automatically permanent, but other values can be as well, as per the text. Can you suggest text?

> 7. Section 5.1 second paragraph has the following text:
>   Well-known URIs are registered on the advice of one or more experts
>   (appointed by the IESG or their delegate), with a Specification
>   Required (using terminology from [RFC8126]).
> This should read as follows according to RFC8126 section 5.2.1:
>   Well-known URIs are registered on the advice of one or more experts
>   (appointed by the IESG), with a Specification
>   Required (using terminology from [RFC8126]).
> There's no provision for the IESG to delegate assignment of an expert.  IESG
> member often consult working group chairs and experts, but the assignment is
> currently performed by the IESG unless RFC8126 gets updated.

My understanding is that this level of detail is unnecessary in the registering document, as the IESG has the power to delegate naturally. If this needs to be specified explicitly, that should be done in a revision of RFC8126 section 5.2.1, not here.

> 9. Section 5.1:
> There may be additional information I am not aware of, hence the following
> clarifying questions. Is there a hold on the registry from now until this
> document is published?  Could an expert receive a request prior to publication
> where they feel the right status is "provisional" and is timely (cannot wait
> until after actions for this document are complete)?  I'm asking because of the
> following text and the answer may be yes, there is a hold, but I am not seeing
> where one is listed.  Since the expert can update the registry at any time, is
> the second bullet necessary (could it cause problems)?
>   Upon publication, IANA should:
>   o  Replace all references to RFC 5988 in that registry have been
>      replaced with references to this document.
>   o  Update the status of all existing registrations to "permanent".

We've been processing registration requests as normal throughout the development period of this draft. When a registration request appears to violate the intent of 5785 but is OK by 5785bis (which we believe represents emerging consensus), I (wearing the Expert hat) have escalated them to the ADs to confirm an exception.

Part of the urgency in getting this document published is that I'm uncomfortable with that, and of course it's onerous for all concerned.

The second bullet shouldn't interfere with that.

Cheers and thanks again,

Mark Nottingham