[websec] Minutes for the Paris (IETF 83) meeting

[Alexey Melnikov]

Sorry for being late with this:

http://www.ietf.org/proceedings/83/minutes/minutes-83-websec.txt

Corrections are welcome, especially for things reported as missed what 
he/she said.


Special thank you to Richard Barnes for being our jabber scribe in Paris.


___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] AppsDir review of draft-ietf-websec-strict-transport-sec

[Julian Reschke]

On 2012-04-29 09:11, Murray S. Kucherawy wrote:
 ...

Section 6.1.1: I think the delta-seconds should be:

delta-seconds = 1*DIGIT

; defined in Section 3.3.2 of [RFC2616]
...


That would copy the rule from RFC 2616 by value.

 ...

The angle-bracket notation you have there doesn't seem to be normal.
...


It's a prose rule; see RFC 5234 prose-val. It's used here to define the 
ABNF rule by reference.


The reference form in theory is safer because there's only a single 
definition, so no conflicts are possible.


Best regards, Julian

PS: we use the prose-val style a lot in HTTPbis for referencing ABNF 
from other documents, so if there's a problem with that I'd like to 
learn ASAP about it :-)

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

[websec] #44: terminology for referring to complete domain name (FQDN) possibly containing IDN labels

[websec issue tracker]

#44: terminology for referring to complete domain name (FQDN) possibly
containing IDN labels

 [ this issue is forked from
 http://trac.tools.ietf.org/wg/websec/trac/ticket/40 ]

 https://www.ietf.org/mail-archive/web/websec/current/msg01108.html StPeter

  Section 9
 
  The phrase valid Unicode-encoded string-serialized domain name seems
  a bit strange, because we don't typically refer to Unicode as an
  encoding scheme. See RFC 6365 regarding such terminology.

-- 
-+-
 Reporter:   |  Owner:  draft-ietf-websec-strict-transport-
  jeff.hodges@…  |  sec@…
 Type:  defect   | Status:  new
 Priority:  major|  Milestone:
Component:  strict-  |Version:
  transport-sec  |   Keywords:
 Severity:  In WG Last   |
  Call   |
-+-

Ticket URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/44
websec http://tools.ietf.org/websec/

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06

[=JeffH]

thanks for the review Paul. I noticed I didn't respond to some portions of your 
message that didn't get transformed into issue tickets. here goes...


 Significant:

 This document pretends that the TLSA protocol from the DANE WG will not
 exist.

this item is captured in http://trac.tools.ietf.org/wg/websec/trac/ticket/39 
and has been discussed in a separate thread..


https://www.ietf.org/mail-archive/web/websec/current/msg01141.html


 Moderate:

 In section 8.1.2, I don't know what ignoring separator characters means,
 and suspect it will cause pain if left this way.

That phrase is simply deleted in my -07 working copy.


 [I-D.ietf-tls-ssl-version3] is not a work in progress. I'll take this up
 on the rfc-interest mailing list, and nothing needs to be done here.

That is addressed in my working copy via ref of (the recently published) 
[RFC6101] instead.



 RFC 2818 is listed as a normative reference, and yet it is Informational.
 This will need to be called out in the PROTO report. Alternately, it can be
 called an informative reference, since one does not need to understand it
 in order to implement this document.

this item was addressed by Alexey in his reply here..

https://www.ietf.org/mail-archive/web/websec/current/msg01104.html


 I have alerted the idna-update mailing list of this WG LC. This might cause
 some helicoptered-in comments, but better now than during IETF LC.

I had noticed that.  I'll followup there once -07 is pub'd. Note that I'd 
engaged in non-trivial discussions there on idna-update@ about various aspects 
of -strict-transport-sec back in Sep-2011...


http://www.alvestrand.no/pipermail/idna-update/2011-September/007140.html

..and I have some hopefull-improved IDNA language in my -07 working copy.


 Editorial:

 annunciate (used a few times) is a fancy word for announce. Maybe use
 the far more common word instead.

 In section 3.1, suboptimal downside is unclear. Is there an optimal
 downside? I suggest replacing it with negative.

 The lead sentences in sections 11.2, 11.4, and 11.5 lack verbs; verbs are
 used in 11.1 and 11.3. This should be an easy fix.

the above are captured in issue ticket #40 
http://trac.tools.ietf.org/wg/websec/trac/ticket/40



thanks again,

=JeffH


___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec