[secdir] secdir review of draft-bryan-metalinkhttp-19.txt

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 28 January 2011 20:38 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE4C83A6876; Fri, 28 Jan 2011 12:38:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.118
X-Spam-Level:
X-Spam-Status: No, score=-103.118 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5UKZicY6qm+g; Fri, 28 Jan 2011 12:38:51 -0800 (PST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 83E4C3A680E; Fri, 28 Jan 2011 12:38:51 -0800 (PST)
Received: from localhost (demetrius2.jacobs-university.de [212.201.44.47]) by hermes.jacobs-university.de (Postfix) with ESMTP id EDCD2C0045; Fri, 28 Jan 2011 21:41:57 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius2.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id wpFONHENNrMG; Fri, 28 Jan 2011 21:41:57 +0100 (CET)
Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 9306CC0054; Fri, 28 Jan 2011 21:41:46 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 248BC1633032; Fri, 28 Jan 2011 21:41:46 +0100 (CET)
Date: Fri, 28 Jan 2011 21:41:46 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: iesg@ietf.org, secdir@ietf.org, draft-bryan-metalinkhttp.all@tools.ietf.org
Message-ID: <20110128204146.GA24446@elstar.local>
Mail-Followup-To: iesg@ietf.org, secdir@ietf.org, draft-bryan-metalinkhttp.all@tools.ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [secdir] secdir review of draft-bryan-metalinkhttp-19.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 20:38:52 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Metalink provides meta information about resources such as locations
where copies can be found or checksums. This specification defines how
Metalink data can be transported as HTTP header lines. The document is
generally easy to follow. The security considerations seem to be short
but appropriate.

That said, it seems the text in section 3 is not final in the sense
that there might still be an open issue, although there is also text
that says that it is up to the server to decide how many Link headers
to send. The fix might be as simple as removing the following text:

   [[Some organizations have many mirrors.  Only send a few mirrors, or
   only use the Link header fields if Want-Digest is used?]]

But then Appendix C lists this again as an open issue, together with a
question whether partial hashes should be carried in HTTP as
well. Perhaps the answer is "no" and this is just an old open issue
item - I can't judge.

Editorial nits:

- p1: s/althought/although/

- p7: s/fieldss/fields/

- p10: s/fieldss/fields/

- p11: s/fieldss/fields/

- p11: s/fieldss/fields/

- p11: s/syncronisation/synchronisation

- p12: s/cyptographic/cryptographic

- p13: s/fieldss/fields/

- p15: s/reponse/response/

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>