IETF Logo Mail Archive

Re: [secdir] Secdir review of: draft-wilde-json-seq-suffix

Erik Wilde <erik.wilde@dret.net> Mon, 28 November 2016 18:00 UTC

Return-Path: <erik.wilde@dret.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64616129445; Mon, 28 Nov 2016 10:00:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=dret.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k-gXGELpVF6B; Mon, 28 Nov 2016 10:00:34 -0800 (PST)
Received: from postoffice.gristmillmedia.com (postoffice.gristmillmedia.com [96.30.18.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7B13129F83; Mon, 28 Nov 2016 10:00:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dret.net; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:Cc:From:References:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ESthidEo0ysnv5jpugyOxfs3zYBnVvmwuQN7RUcOQ/4=; b=A/QBjXGlVKlznkZNrasCb7QEiw FuEvw5AsU+6kgrp35zHsrvUPzThWs10X93RFZplU7GwmLx4Sp9fgBMUKok2hZKqAvJT8mWJFz9WJQ sZd4b9j66kko1Wdmlj3FJeX6pJ27Ji5xRLkP8TrYhzPAhk3GNMKADHeIv7TCm3NPvOdBCy4kVnu/R jZ/kpvkrI3z5ABfUxLXgLgFNTz4hwZQaOnXqURn1d9hhVdQ2c2BRDwzKXHu5sn69ry4VJCf8O5M6L i6PG7YDbfc4RvYXifyxlaCvN4PLDIGQI5B5F7gjsUg90Ez7J0ZHIhgGY307K4fJoOkcIqPwGxUWJg qYteKvEQ==;
Received: from 108-67-65-66.lightspeed.sntcca.sbcglobal.net ([108.67.65.66]:62701 helo=[192.168.1.67]) by postoffice.gristmillmedia.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from <erik.wilde@dret.net>) id 1cBQEC-0000uN-3b; Mon, 28 Nov 2016 13:00:32 -0500
To: Alexey Melnikov <alexey.melnikov@isode.com>, Warren Kumari <warren@kumari.net>, The IESG <iesg@ietf.org>, IETF Security Directorate <secdir@ietf.org>, draft-wilde-json-seq-suffix.all@ietf.org
References: <CAHw9_iLXOq-hD7qrQAJDBYoi4bKs9msjOivzuc5z9fs6yniYQQ@mail.gmail.com> <a9a1fa95-582d-a6ae-7da8-cbe2df596181@isode.com>
From: Erik Wilde <erik.wilde@dret.net>
Message-ID: <91f59711-84e0-853c-8dd0-8157c7807a93@dret.net>
Date: Mon, 28 Nov 2016 10:00:26 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <a9a1fa95-582d-a6ae-7da8-cbe2df596181@isode.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - postoffice.gristmillmedia.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - dret.net
X-Get-Message-Sender-Via: postoffice.gristmillmedia.com: authenticated_id: birdhouse@dret.net
X-Authenticated-Sender: postoffice.gristmillmedia.com: birdhouse@dret.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/cSHDm3ypskDXDJpjY1NqcVcbSLQ>
Cc: Martin Thomson <martin.thomson@gmail.com>, Sean Gillies <sean.gillies@gmail.com>
Subject: Re: [secdir] Secdir review of: draft-wilde-json-seq-suffix
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2016 18:00:35 -0000

hello.

thanks a lot for the review!

On 2016-11-28 05:34, Alexey Melnikov wrote:
> On 28/11/2016 13:16, Warren Kumari wrote:
>> I don't see any *security* issues, but the document is very unclear.
>> It *looks* like it just tries to add "+json-seq" to the IANA
>> Structured Syntax Suffix Registry, but I don't see why it is Standards
>> Track, or why it need to be an RFC at all;  the registry is Expert
>> Review, and RFC 6838 Section 6 seems clear.
> While this indeed can be just sent in an email, IMHO, it is better to
> register Media Type suffixes in RFCs. All existing Media Type suffixes
> were registered in RFCs.
> It probably doesn't need to be Standards Track.
> I would be happy to follow IESG's advice on how to handle this document.

https://github.com/dret/I-D/commit/8694a1efce71dcb96410be3bd6be8d0373383703 
switches the draft to experimental. to be honest, i do get conflicting 
info on this, and depending on the people dealing with a draft, some 
seem to prefer one status over the other. i have no strong opinion about 
this and thus i am happy to switch to the status people think is most 
appropriate.

> This suffix was incorrectly being used in a media type registration, so
> this document is now trying to register the suffix to fix the brokenness.

that is the only reason this draft exists: register the suffix in a way 
that it is properly defined and registered and that the registration can 
be referenced. so yes, this is a simple draft, and intentionally so.

>> Other issues:
>> It does not contain a Security Considerations section, and there are a
>> number of broken references (e.g: it says: "Online access to all
>> versions and files is available on github [2]." - but [2] is a link
>> to: http://www.rfc-editor.org/info/rfc6838)
> Yes, this needs to be fixed.

that's the good old xml2rfc bug that still is around. sorry for this, 
https://github.com/dret/I-D/commit/ee5838e5ddf53cf7084022abb7a275ac4a30a028 
is the best workaround there is for this bug, afaict.

https://github.com/dret/I-D/commit/1efd188ff60f2dbe7f414082d730091e803faa77 
fixes another broken reference.

>> It is a -00, submitted Sept 23rd 2016, and the document on which it
>> was based (draft-json-seq-suffix-00) was also a -00, submitted Sept
>> 19th 2016. The only changes between the 2 are the metadata (name,
>> date). There has been basically no discussion (at least, that I can
>> find), closest
>> is: https://mailarchive.ietf.org/arch/search/?email_list=art&index=AxC0J7zxKU_wH1jOrkZ0ZZUUcs4 ?
> The document is rather trivial (and yes, it does contain annoying
> omissions). Chairs of GeoJSON WG reached out to me for AD sponsoring of
> this document, because one of their documents used the prefix incorrectly.

all correct, and apologies for missing these things so far.

- the two versions exist because i accidentally named the initial 
submission incorrectly. the current version simply was a re-submission 
with the fixed submission name.

- i will submit a -01 version with the changes discussed in this message 
today.

- apart from the missing security considerations section (added via 
https://github.com/dret/I-D/commit/f57746b52ffc9d9b89b3af392be41c80ba530743), 
is there anything else that seems to be missing?

>> I *think* that it is simply trying to add "+json-seq" to the IANA
>> Structured Syntax Suffix Registry
>> (http://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml)
> Yes.
>> -- unfortunately it does this very poorly.

that indeed is the only intent of this document.

>> It starts off by saying (note tense): "IANA has added the following
>> "+json-seq" structured syntax suffix to its registry of structured
>> syntax suffixes established by [2]".

that's how it's supposed to read once approved (at which point the 
addition will have been done), and that's how i have written this in 
previous documents.

>> [2] references to RFC 6838 - "Media Type Registration", which creates
>> a number of registries - while looking I found
>> "http://www.iana.org/assignments/media-types/media-types.xhtml", which
>> does indeed have "json-seq". Because of the "IANA has added" I assumed
>> that this was what was being referenced.

RFC 6838 established more than one registry. one is that of media types. 
another one is that of structured syntax suffixes. it is that latter one 
that is targeted by this document:

http://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml#structured-syntax-suffix

this one does not have the "+json-seq" structured syntax suffix in there 
and the goal of the document is to add it. this registry is specifically 
called out in the IANA considerations section.

>> The IANA considerations section needs work...

in which particular way? the section says that it updates the structured 
syntax suffixes registry and contains all the necessary fields to do 
that. what are you missing?

>> Nits:
>> Section 1:
>> how a media type can signal that it is based on another media type as
>> [O] way of how a media type can signal [P] way for a media type to
>> signal [R] readability; original was a bit awkward

thanks! 
https://github.com/dret/I-D/commit/672780ac2aafd2732e696ae85dec72e9c315ddc7

>> Section 3:
>> Applications encountering such a media type then can either simply
>> [O] then can either
>> [P] can then either
>> [R] readability

thanks! 
https://github.com/dret/I-D/commit/f4d915490f1b05551b9b424f3b9e69b617de3645

https://tools.ietf.org/html/draft-wilde-json-seq-suffix-01 is the 
updated version of the draft. once again, thanks a lot for the review 
and feedback, this is greatly appreciated!

cheers,

dret.

-- 
erik wilde | mailto:erik.wilde@dret.net |
            | http://dret.net/netdret    |
            | http://twitter.com/dret    |

v2.23.0 | Report a Bug | By Email