date:20120430

Re: [websec] AppsDir review of draft-ietf-websec-strict-transport-sec

2012-04-30 Thread Murray S. Kucherawy

> -Original Message-
> From: Julian Reschke [mailto:julian.resc...@gmx.de]
> Sent: Monday, April 30, 2012 10:03 AM
> To: Murray S. Kucherawy
> Cc: apps-disc...@ietf.org; websec@ietf.org; 
> draft-ietf-websec-strict-transport-...@tools.ietf.org
> Subject: Re: [websec] AppsDir review of draft-ietf-websec-strict-transport-sec
> 
> On 2012-04-29 09:11, Murray S. Kucherawy wrote:
>  > ...
> > Section 6.1.1: I think the "delta-seconds" should be:
> >
> > delta-seconds = 1*DIGIT
> >
> > ; defined in Section 3.3.2 of [RFC2616] ...
> 
> That would copy the rule from RFC 2616 "by value".

Why not just say "delta-seconds is defined in Section 3.3.2 of [RFC2616]" and 
leave out the restatement of the ABNF?  Then it's truly only specified in one 
place.

> > The angle-bracket notation you have there doesn't seem to be normal.
> > ...
> 
> It's a prose rule; see RFC 5234 prose-val. It's used here to define the
> ABNF rule "by reference".

RFC5234 also says it should be used as a "last resort".  This is such a simple 
definition that it doesn't seem to qualify.

-MSK

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06

2012-04-30 Thread =JeffH

thanks for the review Paul. I noticed I didn't respond to some portions of your 
message that didn't get transformed into issue tickets. here goes...


> Significant:
>
> This document pretends that the TLSA protocol from the DANE WG will not
> exist.

this item is captured in  
and has been discussed in a separate thread..





> Moderate:
>
> In section 8.1.2, I don't know what "ignoring separator characters" means,
> and suspect it will cause pain if left this way.

That phrase is simply deleted in my -07 working copy.


> [I-D.ietf-tls-ssl-version3] is not a "work in progress". I'll take this up
> on the rfc-interest mailing list, and nothing needs to be done here.

That is addressed in my working copy via ref of (the recently published) 
[RFC6101] instead.



> RFC 2818 is listed as a normative reference, and yet it is Informational.
> This will need to be called out in the PROTO report. Alternately, it can be
> called an informative reference, since one does not need to understand it
> in order to implement this document.

this item was addressed by Alexey in his reply here..




> I have alerted the idna-update mailing list of this WG LC. This might cause
> some helicoptered-in comments, but better now than during IETF LC.

I had noticed that.  I'll followup there once -07 is pub'd. Note that I'd 
engaged in non-trivial discussions there on idna-update@ about various aspects 
of -strict-transport-sec back in Sep-2011...




..and I have some hopefull-improved IDNA language in my -07 working copy.


> Editorial:
>
> "annunciate" (used a few times) is a fancy word for "announce". Maybe use
> the far more common word instead.
>
> In section 3.1, "suboptimal downside" is unclear. Is there an optimal
> downside? I suggest replacing it with "negative".
>
> The lead sentences in sections 11.2, 11.4, and 11.5 lack verbs; verbs are
> used in 11.1 and 11.3. This should be an easy fix.

the above are captured in issue ticket #40 




thanks again,

=JeffH


___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] #43: HSTS: cite draft-reschke-http-status-308 and mention HTTP status code 308 ?

2012-04-30 Thread websec issue tracker

#43: HSTS: cite draft-reschke-http-status-308 and mention HTTP status code 308 ?


Comment (by julian.reschke@…):

 In a perfect world yes :-) But 308 is new, experimental, not well
 supported, and introduces an indirect dependency on HTTPbis.

 Proposal: rephrase the normative requirement so that sending 308 instead
 of 301 is *possible* (say "permanent redirect", and list 301 as example).

-- 
-+-
 Reporter:   |   Owner:  draft-ietf-websec-strict-
  jeff.hodges@…  |  transport-sec@…
 Type:  enhancement  |  Status:  new
 Priority:  minor|   Milestone:
Component:  strict-  | Version:
  transport-sec  |  Resolution:
 Severity:  In WG Last   |
  Call   |
 Keywords:   |
-+-

Ticket URL: 
websec 

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] #40: Various editorial comments on -06

2012-04-30 Thread websec issue tracker

#40: Various editorial comments on -06


Comment (by jeff.hodges@…):

 forked two items to their own tickets...


 > Section 7.2
 >
 > Does is make sense to mention that status code 308 might be
 > appropriate in certain circumstances? See draft-reschke-http-status-308.

 forked to Ticket #43
 http://trac.tools.ietf.org/wg/websec/trac/ticket/43

 > Section 9
 >
 > The phrase "valid Unicode-encoded string-serialized domain name" seems
 > a bit strange, because we don't typically refer to Unicode as an
 > encoding scheme. See RFC 6365 regarding such terminology.

 forked to ticket #44
 http://trac.tools.ietf.org/wg/websec/trac/ticket/44

-- 
-+-
 Reporter:   |   Owner:  draft-ietf-websec-strict-
  jeff.hodges@…  |  transport-sec@…
 Type:  defect   |  Status:  new
 Priority:  minor|   Milestone:
Component:  strict-  | Version:
  transport-sec  |  Resolution:
 Severity:  In WG Last   |
  Call   |
 Keywords:   |
-+-

Ticket URL: 
websec 

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

[websec] #44: terminology for referring to complete domain name (FQDN) possibly containing IDN labels

2012-04-30 Thread websec issue tracker

#44: terminology for referring to complete domain name (FQDN) possibly
containing IDN labels

 [ this issue is forked from
 http://trac.tools.ietf.org/wg/websec/trac/ticket/40 ]

 https://www.ietf.org/mail-archive/web/websec/current/msg01108.html StPeter

 > Section 9
 >
 > The phrase "valid Unicode-encoded string-serialized domain name" seems
 > a bit strange, because we don't typically refer to Unicode as an
 > encoding scheme. See RFC 6365 regarding such terminology.

-- 
-+-
 Reporter:   |  Owner:  draft-ietf-websec-strict-transport-
  jeff.hodges@…  |  sec@…
 Type:  defect   | Status:  new
 Priority:  major|  Milestone:
Component:  strict-  |Version:
  transport-sec  |   Keywords:
 Severity:  In WG Last   |
  Call   |
-+-

Ticket URL: 
websec 

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] AppsDir review of draft-ietf-websec-strict-transport-sec

2012-04-30 Thread Julian Reschke

On 2012-04-29 09:11, Murray S. Kucherawy wrote:
> ...

Section 6.1.1: I think the "delta-seconds" should be:

delta-seconds = 1*DIGIT

; defined in Section 3.3.2 of [RFC2616]
...

That would copy the rule from RFC 2616 "by value".

> ...

The angle-bracket notation you have there doesn't seem to be normal.
...

It's a prose rule; see RFC 5234 prose-val. It's used here to define the 
ABNF rule "by reference".

The reference form in theory is safer because there's only a single 
definition, so no conflicts are possible.

Best regards, Julian

PS: we use the prose-val style a lot in HTTPbis for referencing ABNF 
from other documents, so if there's a problem with that I'd like to 
learn ASAP about it :-)

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

[websec] #43: HSTS: cite draft-reschke-http-status-308 and mention HTTP status code 308 ?

2012-04-30 Thread websec issue tracker

#43: HSTS: cite draft-reschke-http-status-308 and mention HTTP status code 308 ?

 [ this issue is forked from
 http://trac.tools.ietf.org/wg/websec/trac/ticket/40 ]

 > https://www.ietf.org/mail-archive/web/websec/current/msg01108.html
 StPeter
 
 >
 > Section 7.2
 >
 > Does is make sense to mention that status code 308 might be
 > appropriate in certain circumstances? See draft-reschke-http-status-308.

-- 
-+-
 Reporter:   |  Owner:  draft-ietf-websec-strict-transport-
  jeff.hodges@…  |  sec@…
 Type:  enhancement  | Status:  new
 Priority:  minor|  Milestone:
Component:  strict-  |Version:
  transport-sec  |   Keywords:
 Severity:  In WG Last   |
  Call   |
-+-

Ticket URL: 
websec 

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

[websec] Minutes for the Paris (IETF 83) meeting

2012-04-30 Thread Alexey Melnikov


Sorry for being late with this:

http://www.ietf.org/proceedings/83/minutes/minutes-83-websec.txt

Corrections are welcome, especially for things reported as "missed what 
he/she said".


Special thank you to Richard Barnes for being our jabber scribe in Paris.


___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] AppsDir review of draft-ietf-websec-strict-transport-sec

Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06

Re: [websec] #43: HSTS: cite draft-reschke-http-status-308 and mention HTTP status code 308 ?

Re: [websec] #40: Various editorial comments on -06

[websec] #44: terminology for referring to complete domain name (FQDN) possibly containing IDN labels

Re: [websec] AppsDir review of draft-ietf-websec-strict-transport-sec

[websec] #43: HSTS: cite draft-reschke-http-status-308 and mention HTTP status code 308 ?

[websec] Minutes for the Paris (IETF 83) meeting

8 matches

Site Navigation

Mail list logo

Footer information