Re: [secdir] secdir review of draft-ietf-httpbis-p4-conditional-19

Klaas Wierenga <> Fri, 06 July 2012 09:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A5FC221F86E0; Fri, 6 Jul 2012 02:11:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ms7Hafx1Z66W; Fri, 6 Jul 2012 02:11:14 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A797021F873E; Fri, 6 Jul 2012 02:11:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2804; q=dns/txt; s=iport; t=1341565890; x=1342775490; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=JKbk8Z+a45xxb16RtAUfkD0h9Ka/yQyNhVbTXz66Ahk=; b=By11fgf6YmE+vhlLPP1TuMJyUeYH5M0rzFJOGFpOSuEnA3gvBK2B1eQt W1d+UE5H+F6fQgzyMTJBx8QYbEKNErsqT2Me1C4Nf7QeB7zErhB5Mv0bW txJN9I6dH5GeAvVaR46pSwHL9gKR8nGNJ3ejYnaLIMkd0J7ufSALaWiKN o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AttWAIar9k+tJV2d/2dsb2JhbABFpT+ReYEHghgBAQEDARIBZgULCw4KLlcGNYdkBQuaFKAfhhmEV0kkhSJgA5FXg2CBEo0LgWaCYQ
X-IronPort-AV: E=Sophos;i="4.77,536,1336348800"; d="scan'208";a="99309320"
Received: from ([]) by with ESMTP; 06 Jul 2012 09:11:15 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id q669BDQB002338; Fri, 6 Jul 2012 09:11:14 GMT
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=iso-8859-1
From: Klaas Wierenga <>
In-Reply-To: <>
Date: Fri, 6 Jul 2012 11:11:13 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Mark Nottingham <>
X-Mailer: Apple Mail (2.1278)
Cc:, The IESG <>,
Subject: Re: [secdir] secdir review of draft-ietf-httpbis-p4-conditional-19
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Jul 2012 09:11:15 -0000

On Jul 6, 2012, at 7:56 AM, Mark Nottingham wrote:

Hi Mark,

> Thanks for your review and kind words, and apologies for the delay.

no worries, it is not as if I was blocked on waiting for your reply ;-)

Apologies for the fast response, I am in a boring VC ;-)

> I've opened a new ticket for the security-related issues:
> ... and another for the editorial matters:
> There are a few remaining below which I'll answer directly.
> On 23/04/2012, at 11:51 PM, Klaas Wierenga wrote:
>> - - 2.2.2 p7, comparision
>> Is it really neccessary to have the elaborate determination whether
>> the vlaidator is weak or strong, with arbitrary time intervals etc.?
>> It seems very error prone and confusing for implementers. Why not just
>> say that Last-Modified is weak, and if you want strong use ETags.
> If we were defining the protocol from scratch, I'd agree, but we need to stay consistent with how HTTP is already implemented, used and defined, and that can sometimes be messy / complex.


>> - - 2.3 ETag, p9, Note
>> "ought to" is not very normative. Why not make it MUST or SHOULD?
> We've used that terminology when we want to give implementation advice, but cannot impose a new RFC2119-level requirement, because it would make existing implementations non-conformant (as per our charter).

So would that not be a good case for SHOULD with perhaps some explanation along the above lines why it isn't a MUST?

>> 3.4 p17, If-Unmodified-Since
>> Why not defining the the result of a request having both an
>> If-Unmodified-Since and a If-None-Match or If-Modified-Since?
> This is already being discussed in:


>> 4.1 p17, Not modified, second paragraph
>> A 304 response..... isn't this a fine case of a SHOULD rather than a
>> MUST? Or perhaps "A 304 response MUST include a Date header field,
>> unless the origin server.... , in that case a Date header field MUST
>> NOT be provided", and what actually does "reasonable approximation" mean?
> I'm not sure what you're concerned about here; it's a MUST requirement because it's important for interop.

it is really just for clarity, I had a bit of trouble parsing, rereading I think my remark about SHOULD probably doesn't make sense. Still, I read it like "you MUST do A unless condition B applies in which you MUST NOT do A", I just suggested rephrasing, perhaps to:

"If condition B applies you MUST do A, if condition B does NOT apply you MUST NOT do A" 

Hope this helps,