IETF Logo Mail Archive

Re: [XCON] AD review: draft-ietf-xcon-ccmp-10

Mary Barnes <mary.ietf.barnes@gmail.com> Tue, 26 October 2010 21:43 UTC

Return-Path: <mary.ietf.barnes@gmail.com>
X-Original-To: xcon@core3.amsl.com
Delivered-To: xcon@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0B963A680B for <xcon@core3.amsl.com>; Tue, 26 Oct 2010 14:43:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.503
X-Spam-Level:
X-Spam-Status: No, score=-102.503 tagged_above=-999 required=5 tests=[AWL=0.096, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BDc-m-umMn65 for <xcon@core3.amsl.com>; Tue, 26 Oct 2010 14:43:16 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by core3.amsl.com (Postfix) with ESMTP id AB8DD3A682C for <xcon@ietf.org>; Tue, 26 Oct 2010 14:43:15 -0700 (PDT)
Received: by qyk1 with SMTP id 1so3053908qyk.10 for <xcon@ietf.org>; Tue, 26 Oct 2010 14:45:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=rUn8wDiaYblmUkxemTj35l9OcIc2z8WmWivwiuwMx3U=; b=uNKuMPhXj6QLZ5w8VQKMt6HOjm28Q5aGBjsErWKPfW++K8SvcDE6Qgrz0JlOAWpIe8 F6UHSR4hgYXoAOqYecvvJqfL4huXSfJqjI7hdVAyGEDIq19xHsOU0rCa9/O6PpR9GX0E PAkNH7kZZ45OOfiDgvPuzptxDjJA/v5QrFiPs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=lgJvE+jk66ed6Ri0F8aTuI6n/xyv5qvPaF99zhOitx4OZwovuuxpovXldIg0l1KxyE k2NiNtQADVrAnFLA0zuvO4EhfcEknSh5xzRJOIqhvdjk6i0rxmS1d2y1mOc3BU5Sc5N7 wC+5AwBqlV5SpYnpvu2+Np3RlOux9IenAGieE=
MIME-Version: 1.0
Received: by 10.229.237.212 with SMTP id kp20mr3456016qcb.83.1288129503513; Tue, 26 Oct 2010 14:45:03 -0700 (PDT)
Received: by 10.236.110.51 with HTTP; Tue, 26 Oct 2010 14:45:03 -0700 (PDT)
In-Reply-To: <DE53D7D6-7FC6-445F-8500-FDE234681FA3@nostrum.com>
References: <DE53D7D6-7FC6-445F-8500-FDE234681FA3@nostrum.com>
Date: Tue, 26 Oct 2010 16:45:03 -0500
Message-ID: <AANLkTinXKV-eCmpuDWUfm0ZGX6c4+YNxoF95G84gUSzc@mail.gmail.com>
From: Mary Barnes <mary.ietf.barnes@gmail.com>
To: Robert Sparks <rjsparks@nostrum.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: xcon@ietf.org
Subject: Re: [XCON] AD review: draft-ietf-xcon-ccmp-10
X-BeenThere: xcon@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Centralized Conferencing <xcon.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xcon>, <mailto:xcon-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xcon>
List-Post: <mailto:xcon@ietf.org>
List-Help: <mailto:xcon-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xcon>, <mailto:xcon-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2010 21:43:18 -0000

Robert and WG,

We have updated the document to address the issues raised below:
http://tools.ietf.org/html/draft-ietf-xcon-ccmp-11

As well, there are some small updates the XML schema.  The
diff is a useful way to review the changes:
http://tools.ietf.org/wg/xcon/draft-ietf-xcon-ccmp/draft-ietf-xcon-ccmp-11-from-10.diff.html

I have a few responses inline below [MB] on the changes.

Regards,
Mary.

On Tue, Sep 14, 2010 at 10:51 AM, Robert Sparks <rjsparks@nostrum.com> wrote:
> Summary: There are some minor issues to address before moving to IETF LC.
>
> This is a good document - it was very easy to read. Thanks to all who worked
> to get it into the shape it's in.
>
> Administrative:
> * Please send a request to type-review for application/ccmp+xml.
[MB] Alan sent a request. As best as I could tell from the discussion
on the ietf-types mailing list,  the primary issue raised is the same
one that was raised with regards to HELD - making UTF-8 mandatory.  I
added text inline with the final changes that we made to HELD around
this issue in section 4.2, which  the use of HTTP and
application/ccmp+xml:

   The XML documents in the CCMP
   messages MUST be encoded in UTF-8.  This specification follows the
   recommendations and conventions described in [RFC3023], including the
   naming convention of the type ('+xml' suffix) and the usage of the
   'charset' parameter.  The 'charset' parameter MUST be included with
   the XML document.

>
> * I would like the writeup to name who verified the schema and examples
>  (and what tool they used). How did the reviewer ensure the snippets of
>  schema in the sections that describe various elements exactly matches
>  the full schema listed in section 11?
>
> Technical:
>
> * Is there any text that prevents a ccmp request from being empty?
>  (all of the elements in the schema have minOccurs="0"). If not,
>  either some should be added, or the text should say something
>  about how a server should react to a request built this way.
[MB]  [MB] We don't allow an empty request in that you always have a
message type and usually an operation, noting that there there is no
operation for
a blueprintsRequest or confsRequest, as stated in section
5.1 under the operation parameter description. Each message has other
required and optional parameters and if the
request doesn't have the mandatory parameters, a 400 response would be
sent.  A note in that regards to section 5.3.   [/MB]

>
> * The AUTO_GENERATE mechanism's definition is currently hard to find,
>  (it's at the end of 4.1), and easy to miss that it's a normative
>  requirement on server behavior. (I couldn't find the place where
>  the behavior was defined for my first several reads of this document).
>  This behavior should be defined with 2119 terms. What definition
>  exists in this section requires the wildcard to have the form of
>  AUTO_GENERATE_X, but there are several examples and places in the text
>  (here and in the examples document), particularly for xcon-userid:
>  constructs where AUTO_GENERATE appears without the _X.
[MB]  AUTO_GENERATE_X is an example and it isn't normative.  The
normative aspect is that all the mandatory fields MUST be initialized.
 If there is no value, such as for the identifiers, then an
appropriate wildcard string MUST be included.  The
AUTO_GENERATE_X@example.com is one of example of the string that can
be used for the XCON-URI.  I had intended to add text related to this,
but in re-reviewing the diff, the changes I thought I made didn't make
it, so this change is still needed and I'll update the doc again as
soon as submissions open up again.   [/MB]
>
> * The draft calls out "first party" and "third party" actions, but doesn't
>  define those terms.
[MB] Definitions have been added to the terminology section. [/MB]
>
> * The document should call out why <standard-message-list> and
>  <extended-message-list> were separated, and what makes that separation
>  useful. What will an implementation do differently if a message name
>  it doesn't understand shows up in a <standard-message-list> vs in an
>  <extended-message-list>?
[MB] Done. [/MB]
>
> * Can you add a note explaining that the server chooses the contents
>  of the URI when it creates a conference or user? The examples for
>  creating users, such as 6.7, imply that some bits (Ciccio in this case)
>  are copied from the request's userInfo into the response's userInfo
>  AUTO_GENERATEd URI. While a server might choose to do something like
>  that, it's not required to.
[MB] A note has been added with regards to the server choosing the
XCON-USERID. Not sure that addresses your second concern. [/MB]
>
> * It should be more clearly stated in 6.9 that the "confSummaryRequest"
>  is hypothetical and is not actually being defined.
[MB] Clarified that it's an example. [/MB]
>
> * The URL sub-namespace registration html is not well formed
>  (There's a spurious <a/>).
[MB] Fixed. [/MB]
>
> * Is there a privacy leak with cloning existing conferences? What text
>  prevents any member from cloning the conference to see who is in what
>  sidebar? Was the intent to not allow cloning of conferences that are
>  in progress?
[MB] We do allow cloning of active
conferences IF the client has the appropriate privileges/authorization
and thus the appropriate privacy is provided.   However,
sidebars are the only situation where that is done and we do have general
text that a conference server SHOULD only allow authorized entities to
perform operations.  Perhaps we need to make that a MUST? I added
 add some text in the cloning section that the only scenario
under which an active conference would be cloned would be a sidebar.
[/MB]
>
> * The security considerations section should call out that most CCMP commands
>  can pend indefinitely - clients need to be ready to wait an arbitrary amount
>  of time to get the response (see section 6.3 of xcon-examples and consider
>  Alice not responding and the IVR not timing out, Alice using an automaton
>  to keep the IVR from completing its script when it did have timeout protection,
>  etc. The document should say what a client should do when it is no longer
>  willing to wait (close the underlying connection?), and point out what
>  servers can do if they have lots of pending requests starting to pile up.
[MB] Added text to the 6th item on DoS attacks in the security section
- not sure if that's the exact right place, but hopefully the text
addresses the concern. [/MB]
>
> _______________________________________________
> XCON mailing list
> XCON@ietf.org
> https://www.ietf.org/mailman/listinfo/xcon
>

v2.8.7 | Report a Bug | By Email