The Deprecation HTTP Header Field
draft-ietf-httpapi-deprecation-header-09
Yes
Francesca Palombini
No Objection
Erik Kline
Jim Guichard
John Scudder
Zaheduzzaman Sarker
Note: This ballot was opened for revision 08 and is now closed.
Francesca Palombini
Yes
Murray Kucherawy
Yes
Comment
(2024-09-18 for -08)
Not sent
Thanks to Julian Reschke for his ARTART review.
Deb Cooley
No Objection
Comment
(2024-09-16 for -08)
Not sent
I also found this easy to read. I have no other comments beyond those already mentioned.
Erik Kline
No Objection
Gunter Van de Velde
No Objection
Comment
(2024-09-12 for -08)
Sent
# Gunter Van de Velde, RTG AD, comments for draft-ietf-httpapi-deprecation-header-08.txt # I am not so familiar with HTTP technologies, however i found that this draft was well written and interesting to read. Thank you for writing this text. # Please find the following non-blocking comments that crossed my mind when reading the draft. Please use the comments at your discretion. #GENERIC COMMENTS #================ ## the word "Deprecation" (uppercase D) and "deprecation" (lowercase d) is used mixed within the document. Not sure if that is the intent? #DETAILED COMMENTS #================= ##classified as [minor] and [major] 10 Abstract 11 12 The Deprecation HTTP response header field is used to signal to 13 consumers of a resource (in the sense of URI) that the resource will 14 be or has been deprecated. Additionally, the deprecation link 15 relation can be used to link to a resource that provides additional 16 information about planned or existing deprecation, and possibly ways 17 in which client applications can best manage deprecation. [minor] Would the following proposed abstract for a higher level description of what is documented in the draft. " This document defines a new HTTP response header field, "Deprecation", that allows a server to signal to clients that an API or resource is deprecated. The header field provides additional information, including the date of deprecation and an optional link to documentation. The "Deprecation" header field is intended to inform clients about the lifecycle of an API or resource, allowing them to adapt their usage accordingly. This document also outlines best practices for using the "Deprecation" header in HTTP responses. " 67 Table of Contents 68 69 1. Introduction 70 1.1. Notational Conventions 71 2. The Deprecation HTTP Response Header Field [minor] Most of the drafts that i review have a page count in the table of content. I find that easy to go to certain text. Is there a reason why this table is different? 255 The timestamp given in the Sunset header field MUST NOT be earlier 256 than the one given in the Deprecation header field. [minor] What happens if the sunset would be earlier as the Deprecation timestamp? both are ignored or the deprecation is ignored s it is only a timestamp indication/hint?
Jim Guichard
No Objection
John Scudder
No Objection
Mahesh Jethanandani
No Objection
Comment
(2024-09-15 for -08)
Sent
Section 1, paragraph 2 > The act of deprecation does not change any behavior of the resource. > It informs client applications of the fact that a resource will be or > is deprecated. The Deprecation HTTP response header field can be > used to convey this information at runtime indicating when the > deprecation will be in effect. First of all thanks to Julian Reschke for providing the GENART review. Secondly, the draft is short and easy to read. Thanks for that. I tend to agree with Julian that there is redundant text in this document that can be gotten ridden of. The second sentence in this paragraph is a perfect example of it. The same is the case with the paragraph under Section 2. Section 4, paragraph 2 > The timestamp given in the Sunset header field MUST NOT be earlier > than the one given in the Deprecation header field. Just like Gunter, I am also curious about what happens if the Sunset header field is earlier than the Deprecation header field. Section 7, paragraph 2 > Resource documentation SHOULD provide additional information about > the deprecation, such as including recommendation(s) for replacement. > Applications consuming the resource SHOULD check the referred > resource documentation to verify authenticity and accuracy. In cases > where a Link header field is used to provide documentation, one > should assume (unless served over HTTPS) that the content of the Link > header field may not be secure, private or integrity-guaranteed, and > due caution should be exercised when using it. Also, in cases where > the Deprecation header field value is a date in the future, it can > lead to information that otherwise might not be available. > Therefore, applications consuming the resource SHOULD, if possible, > consult the resource developer to discuss potential impact due to > deprecation and plan for possible transition to a recommended > resource(s). It was not clear to me why having the Deprecation header field value in the future might lead to information that otherwise may not be available. First of all, what "information" are we talking about? If it is the link, can't that happen when the link is not available regardless of whether it is in the past or the future? No reference entries found for these items, which were mentioned in the text: [draft-ietf-regext-rdap-jscontact]. Instead of providing a link, you should be using [I-D.ietf-regext-rdap-jscontact] as a reference. DOWNREF [RFC8594] from this Proposed Standard to Informational RFC8594. (For IESG discussion. It seems this DOWNREF was not mentioned in the Last Call and also seems to not appear in the DOWNREF registry.) Found terminology that should be reviewed for inclusivity; see https://www.rfc-editor.org/part2/#inclusive_language for background and more guidance: * Term "master"; alternatives might be "active", "central", "initiator", "leader", "main", "orchestrator", "parent", "primary", "server"
Orie Steele
No Objection
Comment
(2024-09-16 for -08)
Sent
# Orie Steele, ART AD, comments for draft-ietf-httpapi-deprecation-header-08 CC @OR13 * line numbers: - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-httpapi-deprecation-header-08.txt&submitcheck=True * comment syntax: - https://github.com/mnot/ietf-comments/blob/main/format.md * "Handling Ballot Positions": - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/ ## Comments Thanks to Julian Reschke for the ARTART Review. ### MUST Sunset use a different data format for date? ``` 260 date is Sunday, June 30, 2024 at 23:59:59 UTC. Please note that for 261 historical reasons the Sunset HTTP header field uses a different data 262 format for date. ``` Is this a normative requirement? This could be made clearer. ### SHOULDs in Security Considerations ``` 313 Resource documentation SHOULD provide additional information about 314 the deprecation, such as including recommendation(s) for replacement. 315 Applications consuming the resource SHOULD check the referred 316 resource documentation to verify authenticity and accuracy. In cases ``` ``` 323 Therefore, applications consuming the resource SHOULD, if possible, 324 consult the resource developer to discuss potential impact due to 325 deprecation and plan for possible transition to a recommended 326 resource(s). ``` Both of these seem like guidance to human operators, not guidance for ensuring implementation interoperability. Consider dropping the BCP14 language, or explain when it can be ignored. I see Robert Sparks had similar comments on -06 on the list.
Paul Wouters
No Objection
Comment
(2024-09-17 for -08)
Sent
My only concern is how this might appear different to an enduser, and whether and enduser could be tricked into thinking this "redirect" is more authoritative then it really is (eg coming from an attacker), with a target Link: being used to modify the behaviour of the potential victims.
Roman Danyliw
No Objection
Comment
(2024-09-17 for -08)
Not sent
Thank you to Robert Sparks for the GENART review.
Warren Kumari
No Objection
Comment
(2024-09-15 for -08)
Not sent
Like Gunter, I am not an HTTP expert, but this seems like a fine idea, and the document is clear and well written...
Zaheduzzaman Sarker
No Objection
Éric Vyncke
No Objection
Comment
(2024-09-16 for -08)
Sent
While not an HTTP expert, I find this document both easy to read and useful. Some comments though: # Actual consumer of this header ? Only in section 3.1 there is a hint that the actual consumer of the Deprecation header is the application developer, all the previous text is about the 'application' (and I wonder how can an application use this header). Should the abstract/introduction be more explicit ? # Section 2.2 How can the scope be signalled to the consumer ? It does not seem that it is via the Deprecation header, if not via the Deprecation header, then I suggest to move section 2.2 out of section 2, which is about the Deprecation header. # Section 4 I wonder why `for historical reasons the Sunset HTTP header field uses a different data format for date`, doesn't make it more complex for application to parse ? Or is it just for some compression ? # Affiliation Is there any reason why authors have no cited affiliations ? We all know that IETF authors/editors only represent themselves and not their employers (if any).