Ballot for draft-ietf-cdni-control-triggers
Yes
No Objection
Note: This ballot was opened for revision 11 and is now closed.
Thank you for addressing my earlier comments!
Thanks for addressing my comments.
Thanks for handling my DISCUSS point related to the TLS requirement. I had one remaining DISCUSS point that I am not sure has been resolved--but after the conversation that did happen, it is probably no longer DISCUSS-worthy: - 4.7, 2nd bullet under handling of offline surrogates: I assume I am missing something here. How does a surrogate know that the situation exists in the first place? How would a surrogate know about invalidate commands that happened while it was offline? ------------- The remaining comments are old. I think they've mostly been addressed, but did not recheck them: - 3, paragraph 5: SHOULD should not be equated with "optional to implement". MAY means that. SHOULD is intended to be stronger. - 4.5, 2nd paragraph, 1st sentence: This is pretty convoluted. I suggest reformulating without the past tense "MUST". For example, "The dCNI MUST report the expiration times if..." -4.6: "If CDNs B and C delegate delivery of CDN A’s content to each other" Is this a reasonable configuration? It seems like they might already have a delegation loop before the trigger interface got involved. Also, the first sentence is a fragment. = 4.8, first paragraph: I suggest s/transform/"similarly transform" - 5.1.3, staleresourcetime, mandatory: Doesn't this effectively mean the value must be the same across all collections? - 5.2.1, content.ccid: Seems like the reference to [I-D.ietf-cdni-metadata] should be normative. - 6.2.5: it looks like the dCDN is sending the request to itself. Is that the intent? - 8.1, last paragraph: "In this case, the dCDN MUST allow each uCDN from which the content could have been acquired to act upon that content using CI/T Commands." This seems like a place where local policy might reasonably vary. Is a MUST really appropriate?
I'm a no objection, but do want to see why TLS is not a MUST. I've responded to Ben's discuss that proposes language to make it clear whether or not TLS is a MUST. Right now, I think it is just a MUST when certain conditions are met - the need for the security properties called out in 8.1 and commercial privacy considerations in 8.3.
- I agree with the discuss points about use of TLS. - I think it'd be better if you clarified that by "mutually authenticated" you mean TLS client auth and TLS server auth and not e.g. HTTP BASIC plus TLS server auth. - I think a statement to the effect that the mechanisms for access control are dCDN-specific (for now at least) might be a good addition. I'm guessing that someone might want to use some form of OAuth later on (or is doing so now) so part(s) of that might be a thing to standardise later.