Session Peering Provisioning (SPP) Protocol over SOAP
draft-ietf-drinks-spp-protocol-over-soap-09

[Ballot discuss]
There are ballot comments from Spencer, Stephen, Barry, and Kathleen that still need to be addressed. (Even though Stephen cleared his DISCUSS, I think the remaining comments need to be considered.)

[Ballot comment]

Thanks for the response to my discuss, since the WG did  think
it through, I've cleared.

----- OLD COMMENTS below

- General: why would one want to ever run this protocol
without TLS? Did the WG consider saying that TLS MUST be used?
Again, if you tell me you thought about it, I'll just clear.

- 7.1.2: The framework uses "Identifier" but here you use
"Identity" - it'd be better to be consistent I think and
"Identifier" is a lot better.

- section 11 is weaker than the corresponding section in the
framework draft. Two things: 1) why not point back to the
framework here? 2) shouldn't you say which of the
vulns/mitigations called out in the framework are relevant or
mitigated here?

[Ballot comment]
-- Section 4 --

  Implementations compliant with this document MUST use HTTP 1.1
  [RFC2616] or higher.  Also, implementations SHOULD use persistent
  connections.

You could remove "compliant with this document".  But more importantly, the "SHOULD" is not an interoperability requirement.  I'd rather see "implementations should use persistent connections for the performance reasons specified above."  But this is non-blocking, and there's no need to discuss it.

Also, RFC 2616 is obsolete.  The current reference for HTTP 1.1 is RFC 7230, and this reference needs to be changed to that.

-- Section 5 --
I support Stephen's DISCUSS here.  Further on what he says in his comment, this MUST requirement locks you into Digest for all time, regardless of what other authentication mechanisms might be defined and deployed later.  That doesn't seem wise.

If the real point here is that there are two mechanisms (Basic and Digest), and you want to use Digest because you don't want Basic, then maybe that's how you should say it: ban Basic rather than requiring Digest.

[Ballot comment]
-- Section 4 --

  Implementations compliant with this document MUST use HTTP 1.1
  [RFC2616] or higher.  Also, implementations SHOULD use persistent
  connections.

You could remove "compliant with this document".  But more importantly, the "SHOULD" is not an interoperability requirement.  I'd rather see "implementations should use persistent connections for the performance reasons specified above."  But this is non-blocking, and there's no need to discuss it.

-- Section 5 --
I support Stephen's DISCUSS here.  Further on what he says in his comment, this MUST requirement locks you into Digest for all time, regardless of what other authentication mechanisms might be defined and deployed later.  That doesn't seem wise.

If the real point here is that there are two mechanisms (Basic and Digest), and you want to use Digest because you don't want Basic, then maybe that's how you should say it: ban Basic rather than requiring Digest.

[Ballot comment]
All editorial. Note that I did not review sections 9 & 10.

1 or 2: Might be nice to define "SPPPoS" for "SPP Protocol over SOAP". Would save a lot of space and make things easier to read.

3:

OLD
  This document RECOMMENDS SOAP 1.2 [SOAPREF] or higher, and WSDL 1.1
  [WSDLREF] or higher.
NEW
  SOAP 1.2 [SOAPREF] or higher, and WSDL 1.1 [WSDLREF] or higher are
  RECOMMENDED by this document.
END

4: s/compliant with this document/of this protocol

5ff: I don't see how the word "conforming" adds anything to this document. Instead of "conforming SPPPoS clients/servers MUST do X", why not say "SPPPoS clients/servers MUST do X"?

7: Title: s/SPP Protocol SOAP Data Structures/SPP Protocol over SOAP Data Structures

[Ballot comment]
(resending after changing the notification to @tools.ietf.org)

In this text:

  This document RECOMMENDS SOAP 1.2 [SOAPREF] or higher, and WSDL 1.1
  [WSDLREF] or higher.
 
I'm not sure why these are RECOMMENDS, but more to the point, am I reading this that there's no mandatory-to-implement version of SOAP or WSDL for SPP over SOAP? I note that you have HTTP/1.1 or higher as a "MUST use" in Section 4.

[Ballot comment]
In this text:

  This document RECOMMENDS SOAP 1.2 [SOAPREF] or higher, and WSDL 1.1
  [WSDLREF] or higher.
 
I'm not sure why these are RECOMMENDS, but more to the point, am I reading this that there's no mandatory-to-implement version of SOAP or WSDL for SPP over SOAP? I note that you have HTTP/1.1 or higher as a "MUST use" in Section 4.

[Ballot discuss]

I just want to check one thing...

Section 5: why is there a MUST for Digest auth?  What'd be
wrong with TLS client auth here?  I do wish the WG had
considered some alternative to passwords, which don't make so
much sense in this use-case.  (BTW: You could chose HOBA here
I guess, but that's still in the RFC editor queue and not
supported by libraries so perhaps doesn't suit. But it'd work.
I'm an author of the HOBA spec though, so I'm biased:-) Anyway
- can you tell me if the WG considered dropping passwords
entirely and mandating TLS client auth be implemented?  If the
WG seriously considered TLS client auth already, I'll just
clear.

[Ballot comment]

- General: why would one want to ever run this protocol
without TLS? Did the WG consider saying that TLS MUST be used?
Again, if you tell me you thought about it, I'll just clear.

- 7.1.2: The framework uses "Identifier" but here you use
"Identity" - it'd be better to be consistent I think and
"Identifier" is a lot better.

- section 11 is weaker than the corresponding section in the
framework draft. Two things: 1) why not point back to the
framework here? 2) shouldn't you say which of the
vulns/mitigations called out in the framework are relevant or
mitigated here?

[Ballot comment]
Thanks for your work on this draft.  I have some comments and suggestions that I'd like to be considered:

Section 4:
Instead of HTTP(S), I'd prefer to see HTTP/TLS. Would that cause any heartburn?  It would make the text consistent with the next section.

Please change SSL to TLS in this section as well.

Section 5:
OK, I see you have TLS listed here, along with a minimum version by reference to the RFC for TLS 1.2.  All good, thanks.

A pointer to the BCP from UTA: https://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/ following the last sentence, might be helpful.  It's in IETF last call now, so it shouldn't hold up this draft and could even be done as an informational reference so it won't matter that it's not published yet.  Alternatively, this reference could be in section 11.1.

Section 7.3
Is a response code needed when the XML does not validate to the schema or other requirements that may exist in addition to schema conformance?  Or does this happen somewhere else or perhaps this should be stated as part of one of the existing response codes?

IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-drinks-spp-protocol-over-soap-07.  Authors should review the comments and/or questions below.  Please report any inaccuracies and respond to any questions as soon as possible.

We received the following comments/questions from the IANA's reviewer:

IANA understands that, upon approval of this document, there is a single action which IANA must complete.

In the ns registry of the IETF XML Registry located at:

https://www.iana.org/assignments/xml-registry

a new namespace is to be registered as follows:

ID: sppf:soap:1
URI: urn:ietf:params:xml:ns:sppf:soap:1
Filename: [ TBD-at-registration ]
Reference: [ RFC-to-be ]

NOTE: As this document requests registrations in a Specification Required (see RFC 5226) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC.

IANA understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Session Peering Provisioning (SPP) Protocol over SOAP) to Proposed Standard


The IESG has received a request from the Data for Reachability of
Inter/tra-NetworK SIP WG (drinks) to consider the following document:
- 'Session Peering Provisioning (SPP) Protocol over SOAP'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-01-22. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  The Session Peering Provisioning Framework (SPPF) specifies the data
  model and the overall structure to provision session establishment
  data into Session Data Registries and SIP Service Provider data
  stores.  To utilize this framework one needs a transport protocol.
  Given that Simple Object Access Protocol (SOAP) is currently widely
  used for messaging between elements of such provisioning systems,
  this document specifies the usage of SOAP (via HTTPS) as the
  transport protocol for SPPF.  The benefits include leveraging
  prevalent expertise, and a higher probability that existing
  provisioning systems will be able to easily migrate to using an SPPF
  based protocol.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-drinks-spp-protocol-over-soap/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-drinks-spp-protocol-over-soap/ballot/


No IPR declarations have been submitted directly on this I-D.

PROTO write-up for draft-ietf-spp-protocol-over-soap

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)? Why is
this the proper type of RFC? Is this type of RFC indicated in the title
page header?

  The request is to publish this document as a “Proposed Standard”. This
  document specifies a SOAP (over HTTPS) transport protocol for the
  Session Peering Provisioning Framework (SPPF; draft-ietf-drinks-spp-
  framework). Given that SPPF is a Proposed Standard, and requires a
  transport protocol for implementation, such as the one specified in
  this document, the WG is in strong consensus that this is the proper
  type of RFC.

  And yes, this type is indicated in the title page header.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary:

  This document provides a SOAP (over HTTPS) transport protocol for
  implementing the Session Peering Provisioning Framework (SPPF; draft
  -ietf-drinks-spp-framework). SPPF specifies the data model and the
  overall structure to provision session establishment data into Session
  Data Registries and SIP Service Provider data stores.

Working Group Summary:

  The chairs believe that there is consensus behind this document. There
  has not been any disagreement on the content of this I-D . Some
  participants of the working group (and external observers) have
  periodically expressed concern over the use of SOAP and questioned why
  RESTful web service is not being used. The Working Group has discussed
  this on multiple occasions and the act that more provisioning systems
  that are meant to employ SPPF already use SOAP, it is the one that is
  currently in demand for practical use. It is important to note that
  SPPF is limited to identifying the data model specification. Should
  the need arise for a RESTful service based transport protocol
  specification , or even a binary protocol for various reasons, it can
  be derived from the SPPF in the future. Therefore , the WG Chairs
  believe that this has resulted in general consensus to progress this
  document for consideration as an RFC.

Document Quality:

  A few working group participants have developed a prototype-level
  implementation, involving programmers who were not involved in the
  framework or transport protocol design efforts. Lessons learned from
  that implementation were fed back into the documents. Furthermore, the
  SPPF design team includes several potential implementers, who have
  verified the I-D content as ready for implementation.

Personnel:

  Syed W. Ali is serving the role of Document Shepherd, and Richard
  Barnes is the responsible AD.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd . If this version of the document is not ready for
publication, please explain why the document is being forwarded to the
IESG.

  The document shepherd performed a review prior to publication request,
  and believes that it is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or  breadth of the reviews that have been performed?

  While there are no concerns regarding the contents or the
  requirements, the document shepherd recommends that data modeling
  experts, esp., those well versed in SOAP and WSDL be invited to review
  this document. The primary reason for this is that previous “SOAP and
  WSDL” expert reviewers were involved in the creation of this document,
  but may have overlooked nuances. The secondary reason is that, while
  we had non-WG member reviews, they were not necessarily SOAP experts.
  (Data Model experts were invited, but were unable to make time during
  the WGLC process.)

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that took
place.

  Yes; see response to (4).

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

  No, all my concerns (e.g., IANA registry for namespaces) that were
  raised have been addressed.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why?

  Each author has confirmed that there are no IPR claims about the
  contents in this draft, and that they are not aware of such claims.

(8) Has an IPR disclosure been filed that references this document? If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  No IPR claims have been filed, that the Document Shepherd is aware of.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others being
silent, or does the WG as a whole understand and agree with it?

  Within the Design Team, solid consensus was sought for each issue, and
  minutes from the weekly conference calls were sent back to the WG
  mailing list. Given the small size of the WG (~35 participants during
  the last meeting) , most active participants (~8) were also part of
  the Design Team, making for fewer discussions outside of the calls.

(10) Has anyone threatened an appeal or other wise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

  No appeal was threatened, nor did anybody indicate extreme discontent.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

  There is one warning: Possible downref: Non-RFC (?) normative
  reference: ref. 'SOAPREF'; which is acceptable.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

  The previous document shepherd (Sumanth Channabasappa) has asked for
  specific XML expert review (from Peter Saint-Andre), but this may be
  done as part of IETF LC.

(13) Have all references within this document been identified as either
normative or informative?

  Yes, references have been split in normative an informative
  references.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

  This document depends on the SPPF document, which will need to
  accepted prior-to, or at the same time.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in  the Last Call procedure.

  No. However, see note under point (11).

(16) Will publication of this document change the status of any existing
RFCs? Are those RFCs listed on the title page header, listed in the
abstract, and discussed in the introduction? If the RFCs are not listed
in the Abstract and Introduction, explain why, and point to the part of
the document where the relationship of this document to the other RFCs
is discussed. If this information is not in the document, explain why
the WG considers it unnecessary.

  This document will not change the status of any existing RFC.


(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

  The document uses URNs to describe XML Namespaces and XML Schemas, and
  pursuant to RFC3688, requests registration of:

  URN: urn:ietf:params:xml:ns:sppf:soap:1

  The document does not create any new IANA registries

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful
in selecting the IANA Experts for these new registries.

  n/a

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

  The authors have performed validation; additionally an automated NITS
  review was performed. The previous document shepherd (Sumanth
  Channabasappa) has requested review from an external expert (Peter St.
  Andre) some time ago, but there has been no feedback regarding this
  review yet.

  Furthermore, Ning Zhang has volunteered to perform a review, providing
  feedback during the IETF LC.