[secdir] secdir review of draft-bryan-metalinkhttp-19.txt
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 28 January 2011 20:38 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE4C83A6876; Fri, 28 Jan 2011 12:38:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.118
X-Spam-Level:
X-Spam-Status: No, score=-103.118 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5UKZicY6qm+g; Fri, 28 Jan 2011 12:38:51 -0800 (PST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 83E4C3A680E; Fri, 28 Jan 2011 12:38:51 -0800 (PST)
Received: from localhost (demetrius2.jacobs-university.de [212.201.44.47]) by hermes.jacobs-university.de (Postfix) with ESMTP id EDCD2C0045; Fri, 28 Jan 2011 21:41:57 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius2.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id wpFONHENNrMG; Fri, 28 Jan 2011 21:41:57 +0100 (CET)
Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 9306CC0054; Fri, 28 Jan 2011 21:41:46 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 248BC1633032; Fri, 28 Jan 2011 21:41:46 +0100 (CET)
Date: Fri, 28 Jan 2011 21:41:46 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: iesg@ietf.org, secdir@ietf.org, draft-bryan-metalinkhttp.all@tools.ietf.org
Message-ID: <20110128204146.GA24446@elstar.local>
Mail-Followup-To: iesg@ietf.org, secdir@ietf.org, draft-bryan-metalinkhttp.all@tools.ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [secdir] secdir review of draft-bryan-metalinkhttp-19.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 20:38:52 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Metalink provides meta information about resources such as locations where copies can be found or checksums. This specification defines how Metalink data can be transported as HTTP header lines. The document is generally easy to follow. The security considerations seem to be short but appropriate. That said, it seems the text in section 3 is not final in the sense that there might still be an open issue, although there is also text that says that it is up to the server to decide how many Link headers to send. The fix might be as simple as removing the following text: [[Some organizations have many mirrors. Only send a few mirrors, or only use the Link header fields if Want-Digest is used?]] But then Appendix C lists this again as an open issue, together with a question whether partial hashes should be carried in HTTP as well. Perhaps the answer is "no" and this is just an old open issue item - I can't judge. Editorial nits: - p1: s/althought/although/ - p7: s/fieldss/fields/ - p10: s/fieldss/fields/ - p11: s/fieldss/fields/ - p11: s/fieldss/fields/ - p11: s/syncronisation/synchronisation - p12: s/cyptographic/cryptographic - p13: s/fieldss/fields/ - p15: s/reponse/response/ /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [secdir] secdir review of draft-bryan-metalinkhtt… Juergen Schoenwaelder
- Re: [secdir] secdir review of draft-bryan-metalin… Anthony Bryan