Re: [secdir] Secdir last call review of draft-wilde-service-link-rel-06

Erik Wilde <> Tue, 20 November 2018 21:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 760B8130DCC; Tue, 20 Nov 2018 13:06:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=neutral reason="invalid (public key: not available)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wDcIVgGoj7Cs; Tue, 20 Nov 2018 13:06:13 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0F424124D68; Tue, 20 Nov 2018 13:06:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qLbDBGoBQv7BtdRQIVVWK5YRVSL9k90aaeCCqIxgt1U=; b=LDtgfCjqmO3f+peTPtXu/w2vK4 8srkI0FKl89rCUuB0CQ/ONJ0WrHofxgxTLT21gn4JOftTspJfkGf5lZbGNOKw3O2szIUXW+/PzKQF WE5wtjF85TO3ccgt/gqAa2PWhjRVnFfVATDyQRFRVLU/GMbaGT+WZpwxQSZVDOop0zJocIORfPR2b 387WDyJESm3rcx71fMoUUWU9opEAWqjfB3xBiyviPD74KW6Cl5tWAxvpMj7kfueCSpzfWyG/BALiz Dvs3SU9OUjizZ2B5xB+HDWRgAJU7YnCCk9UvjNCWQDN2m4xMv4TiEL1aJ6/4T5gJjpJos1FwvhX6V W8uZuEeQ==;
Received: from [] (port=53747 helo=dretbook.local) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <>) id 1gPDDj-00078d-0s; Tue, 20 Nov 2018 16:06:07 -0500
To: Stefan Santesson <>,
References: <>
From: Erik Wilde <>
Message-ID: <>
Date: Tue, 20 Nov 2018 22:06:05 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
Archived-At: <>
Subject: Re: [secdir] Secdir last call review of draft-wilde-service-link-rel-06
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Nov 2018 21:06:15 -0000


thanks, stefan, for the review!

On 2018-11-20 11:42, Stefan Santesson wrote:
> Even though this document is quite repetitive when describing its fundamental
> concepts, I still had a problem figuring out whether the link relations defined
> are applicable to any web resource, or just to "web services" in the context of
> "service provided to another service".

in theory they apply to any web resource, but in practice descriptions 
and documentation in most cases will only be published for sets of 
resources, which this draft calls "web services". i myself am not a huge 
fan of this terminology, but it seems to be what most people are using.

> I have no issues with the fundamental concept, but the document lacks security
> considerations. The content of the section is "..." indicating that something
> eventually is intended to go here, but has not yet been written. If there are
> absolutely no security considerations, then the section should say so.
> I do however think that there are some useful security considerations to
> document. At least it may be useful to have a small discussion to consider what
> information about a service that is helpful to a user, and which could be used
> by an attacker, and find a good balance.

thanks for this suggestion. i have added this at, 
which adds security considerations.

> As a nit I would suggest shortening some of the fundamental description in the
> early introduction that is being repeated in the document. The document is
> rather short and therefore does not benefit from saying the same things many
> times.

i agree that there are repetitions. they are intentional, as the goal 
has been to make the individual sections as self-contained as possible, 
so that users looking for the definitions of the individual link 
relations can look them up and just read the individual definitions.

i think with these changes in the draft i have addressed the comments in 
this review. i have posted a new version of the draft that includes the 
changes mentioned here.

thanks again and kind regards,


erik wilde | |
            |    |
            |    |