Re: Last Call: <draft-ietf-repute-query-http-09.txt> (A Reputation Query Protocol) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 07:41 15-08-2013, The IESG wrote:
The IESG has received a request from the Reputation Services WG (repute)
to consider the following document:
- 'A Reputation Query Protocol'
  <draft-ietf-repute-query-http-09.txt> as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@xxxxxxxx mailing lists by 2013-08-29. Exceptionally, comments may be

The draft-iet-repute-model reference is a down-ref.

  "A server receiving a query about an application it does not
   recognize or explicitly support support (e.g., by virtue of
   private agreements or experimental extensions) MUST return a
   404 error code."

There is a typo: "support support".

Are there other cases where a 404 is appropriate? I am asking the question as there is a string of proposals built upon RFC 2616 which attempt to use HTTP status codes to communicate errors for the layered protocol.

In Section 3.2:

  "and SHOULD include an Expires field (see Section 14.21 of [HTTP])
   indicating a duration for which the template is to be considered
   valid by clients and not re-queried."

Why is this a RFC 2119 SHOULD? There is a "SHOULD NOT" following that paragraph with a "don't query for a day if there isn't an Expires field". Wouldn't it be easier to have "MUST include the Expires field"?


  "The template file might contain more than one template.  Such a file
   MUST have each template separated by a newline (ASCII 0x0D)
   character."

As this is line oriented it may be better to have CRLF.

In Section 3.3:

  "A server SHOULD include support for providing service over HTTP"

Is there a case where the service with work if the server does not support HTTP?

In Section 5:

  "The reputation service itself will use HTTP or other transport
   methods to issue queries and receive replies.  Those protocols have
   registered URI schemes and, as such, presumably have documented
   security considerations."

This is odd.  What other protocols are there to retrieve the URI template?

If I understood the draft, the Proposed Standard angle is:

  http://{service}/{application}/{subject}/{assertion}

with a "application/reputon+json" response. Why should that be a Proposed Standard?

Regards,
-sm




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]