Re: [XCON] AD review: draft-ietf-xcon-ccmp-10

[Robert Sparks <rjsparks@nostrum.com>]

I reviewed the diffs between -10 and -11 (while waiting for -12).

All of my concerns have been addressed except for the AUTO_GENERATE text that
you intend to add and  what's called out below:

>> 
>> * Can you add a note explaining that the server chooses the contents
>>  of the URI when it creates a conference or user? The examples for
>>  creating users, such as 6.7, imply that some bits (Ciccio in this case)
>>  are copied from the request's userInfo into the response's userInfo
>>  AUTO_GENERATEd URI. While a server might choose to do something like
>>  that, it's not required to.
> [MB] A note has been added with regards to the server choosing the
> XCON-USERID. Not sure that addresses your second concern. [/MB]

Not completely, but I don't think any more text is needed. My concern is
that an implementer or system designer would come away thinking that
the right way to code populating the auto-generated URI would be to take
the mailto: or sip: URI you provided and just change the scheme.


>> 
>> * The security considerations section should call out that most CCMP commands
>>  can pend indefinitely - clients need to be ready to wait an arbitrary amount
>>  of time to get the response (see section 6.3 of xcon-examples and consider
>>  Alice not responding and the IVR not timing out, Alice using an automaton
>>  to keep the IVR from completing its script when it did have timeout protection,
>>  etc. The document should say what a client should do when it is no longer
>>  willing to wait (close the underlying connection?), and point out what
>>  servers can do if they have lots of pending requests starting to pile up.
> [MB] Added text to the 6th item on DoS attacks in the security section
> - not sure if that's the exact right place, but hopefully the text
> addresses the concern. [/MB]

That's a good a place as any. The group should be sure to review the extra normative
statements you've added.


Thanks!

RjS