Re: [secdir] SECDIR review of draft-ietf-httpbis-alt-svc-12
Barry Leiba <barryleiba@computer.org> Sun, 21 February 2016 21:42 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C5CE1B2B25; Sun, 21 Feb 2016 13:42:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISdo7r1oU5V0; Sun, 21 Feb 2016 13:42:49 -0800 (PST)
Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 443E01B2B23; Sun, 21 Feb 2016 13:42:49 -0800 (PST)
Received: by mail-ig0-x234.google.com with SMTP id g6so73963555igt.1; Sun, 21 Feb 2016 13:42:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=0RBi34EgnEJRmg+YqSfkkRvUJKWIF5Er3ZgPxliIU9U=; b=bMq8qSYj15bL7CoHnW3DJr3xgGRMpYBq6xl2xXcX5j5/4E1V7HuXNMVoJHwU4DRQg1 r5nzx1kTDKlehe30rvG0QeOcb7yBM435QwdtLcP+Nht2Uua+3AlMQEIIU4XiValnALY6 LzU2M5IBXvPddKlRw7aVvDdcBIgT3yrQyRPI3Ws6xFpzrB9zzIYlZZ2XzYcGbNclozau pqtsbZx2hiPGHCIckylAy7FnUgw+ZWTGFAtPk//bfwZ8C53zKBVKBZCGNU9qQEvDBXK2 hS5vuaZ2m/hPVAiXDXLx1Cavccb6UyYiOrC+1+1Zpfm6CGoXwYOH+h/q7Xfu3ivVLsRV ojzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=0RBi34EgnEJRmg+YqSfkkRvUJKWIF5Er3ZgPxliIU9U=; b=KNhl6AjAagPR85POK9k3lhPxB2uxrZppFdOdCm8D9a63QVoXb17AH6TGU1LxoAqirv B8gabSM0IEq4inVN4BC9/LO6tIEh4gnU86casyPuKGRc1hKmyGDcUEXYbkNvaeipSeoN qK/eQi2flD4FkDOGhFx+RchqEHMc5ga3j4Vrju4Q/Z7zMDDywrQct6BJkW5swjSao+WL eT/M4lEyxGmOtw1pjnQaq1uZm73R8tsVZWNxXVuPsVv75x74qAmw6A3iNEfAVHUP82RJ OuqHEgXEujqLuuUQ/7JsF2IhUG8Es+twmNLQRm+OZkRD1uU7vlsCobKXKeQp8WOIjSko EHdw==
X-Gm-Message-State: AG10YOTooRhQJBEVKYz/tuBcRI8Rigievv3WfnoFxVeaH51V8N27mka02slQ2tsre1bAUEJpkzpW4aRjDbLqOA==
MIME-Version: 1.0
X-Received: by 10.50.138.72 with SMTP id qo8mr7871225igb.81.1456090968756; Sun, 21 Feb 2016 13:42:48 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.36.156.5 with HTTP; Sun, 21 Feb 2016 13:42:48 -0800 (PST)
In-Reply-To: <56CA24AD.8010102@gmail.com>
References: <56CA1A79.4040107@gmail.com> <56CA24AD.8010102@gmail.com>
Date: Sun, 21 Feb 2016 13:42:48 -0800
X-Google-Sender-Auth: BnBRgBxDSF89Z-DQuvQwxX1N32c
Message-ID: <CALaySJKQi7q5=VvqJXn6YS3JyCjODCme+fgGOX5EfDw2yHhpJw@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Chris Lonvick <lonvick.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/EDZnx4FfEhQ96nHH66Eh6NNmauE>
Cc: draft-ietf-httpbis-alt-svc.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SECDIR review of draft-ietf-httpbis-alt-svc-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Feb 2016 21:42:50 -0000
Thanks for the review, Chris. A point on the Latin abbreviations: > Each use of 'e.g.' should be followed by a comma. There seem to be some that > aren't. ... > There are a lot of parentheticals throughout. Putting an 'e.g.' or 'i.e.' in > a sentence does not require that it be within parenthesis. Stick a comma in > front it it and move on. ;-) Y'all almost did that within the last paragraph > of Section 9.5 but didn't get it altogether right. As it happens, I have a strong preference for avoiding "i.e." and "e.g.", for a number of reasons. One is that they're often not used quite right, as you note in these two comments. Another is that one is often used when the other should be (that's not the case in this document). But the main one is that they're almost always unnecessary, and removing them and/or rewording makes better sentences -- "i.e." can almost always just be removed, and "e.g." can usually be replaced with a more natural "such as", "as with", or something of that sort. An example of common misuse: "...as with fruit, e.g., apples, bananas, etc." Euw! > When the protocol does not explicitly carry the scheme (e.g., as is > usually the case for HTTP/1.1 over TLS, servers can mitigate this > risk by either assuming that all requests have an insecure context, > or by refraining from advertising alternative services for insecure > schemes (such as HTTP). > > The first parenthetical is opened with a left parenthesis but closed with a > comma. I'd suggest using commas to open and close that. The second should > just be separated by a preceding comma. Best regards, Chris Actually, this is a really good example where "e.g." isn't needed at all (the "as is...the case" takes care of that), and where the sentence works better this way (also correcting the non-parallel use of "either", while we're here): NEW When the protocol does not explicitly carry the scheme, as is usually the case for HTTP/1.1 over TLS, servers can mitigate this risk either by assuming that all requests have an insecure context, or by refraining from advertising alternative services for insecure schemes such as HTTP. END I urge the authors to make a quick run-through along with handling other comments, and to get rid of as many of the "i.e."s and "e.g."s as they reasonably can. Barry
- [secdir] SECDIR review of draft-ietf-httpbis-alt-… Chris Lonvick
- [secdir] Fwd: SECDIR review of draft-ietf-httpbis… Chris Lonvick
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Barry Leiba
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Salz, Rich
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Mark Nottingham