Skip to main content

Shepherd writeup
draft-ietf-websec-origin

Document write-up for draft-ietf-websec-origin-04

  (1.a) Who is the Document Shepherd for this document? Has the
        Document Shepherd personally reviewed this version of the
        document and, in particular, does he or she believe this
        version is ready for forwarding to the IESG for publication?

    Document shepherd is Tobias Gondrom.
    I have reviewed this version personally and believe it is ready.

  (1.b) Has the document had adequate review both from key WG members
        and from key non-WG members? Does the Document Shepherd have
        any concerns about the depth or breadth of the reviews that
        have been performed?

    The document is mature and received good review from WG and non-WG
    members.  Furthermore, reviews also covered document versions before
    its adoption by the WG or even prior to the formation of the WebSec
    WG (draft-abarth-origin and draft-abarth-principles-of-origin).
    The depth and breadth of the reviews is sufficient and best efforts
    have been made to involve browser vendors, though a few more reviews
    from the browser vendor companies would have been nice.  Recent IETF
    LC has also resulted in further good reviews.


 (1.c) Does the Document Shepherd have concerns that the document
        needs more review from a particular or broader perspective,
        e.g., security, operational complexity, someone familiar with
        AAA, internationalization or XML?

    No.


  (1.d) Does the Document Shepherd have any specific concerns or
        issues with this document that the Responsible Area Director
        and/or the IESG should be aware of? For example, perhaps he
        or she is uncomfortable with certain parts of the document, or
        has concerns whether there really is a need for it. In any
        event, if the WG has discussed those issues and has indicated
        that it still wishes to advance the document, detail those
        concerns here. Has an IPR disclosure related to this document
        been filed? If so, please include a reference to the
        disclosure and summarize the WG discussion and conclusion on
        this issue.

    No.

  (1.e) How solid is the WG consensus behind this document? Does it
        represent the strong concurrence of a few individuals, with
        others being silent, or does the WG as a whole understand and
        agree with it?

    WG consensus on this document seems mature and pretty robust.


  (1.f) Has anyone threatened an appeal or otherwise indicated extreme
        discontent? If so, please summarise the areas of conflict in
        separate email messages to the Responsible Area Director. (It
        should be in a separate email because this questionnaire is
        entered into the ID Tracker.)

    No.

  (1.g) Has the Document Shepherd personally verified that the
        document satisfies all ID nits? (See the Internet-Drafts Checklist
        and http://tools.ietf.org/tools/idnits/). Boilerplate checks are
        not enough; this check needs to be thorough. Has the document
        met all formal review criteria it needs to, such as the MIB
        Doctor, media type and URI type reviews?

    Yes. There were a few minor warnings which have been justified.

  (1.h) Has the document split its references into normative and
        informative? Are there normative references to documents that
        are not ready for advancement or are otherwise in an unclear
        state? If such normative references exist, what is the
        strategy for their completion? Are there normative references
        that are downward references, as described in [RFC3967]? If
        so, list these downward references to support the Area
        Director in the Last Call procedure for them [RFC3967].

    Yes. All normative references are stable and OK.

  (1.i) Has the Document Shepherd verified that the document IANA
        consideration section exists and is consistent with the body
        of the document? If the document specifies protocol
        extensions, are reservations requested in appropriate IANA
        registries? Are the IANA registries clearly identified? If
        the document creates a new registry, does it define the
        proposed initial contents of the registry and an allocation
        procedure for future registrations? Does it suggest a
        reasonable name for the new registry? See [RFC5226]. If the
        document describes an Expert Review process has Shepherd
        conferred with the Responsible Area Director so that the IESG
        can appoint the needed Expert during the IESG Evaluation?

    Yes.

  (1.j) Has the Document Shepherd verified that sections of the
        document that are written in a formal language, such as XML
        code, BNF rules, MIB definitions, etc., validate correctly in
        an automated checker?

    Did run the ABNF through BAP (http://tools.ietf.org/tools/bap/) and
    validated correctly with no errors.

  (1.k) The IESG approval announcement includes a Document
        Announcement Write-Up. Please provide such a Document
        Announcement Write-Up? Recent examples can be found in the
        "Action" announcements for approved documents. The approval
        announcement contains the following sections:

     Technical Summary
        Relevant content can frequently be found in the abstract
        and/or introduction of the document. If not, this may be
        an indication that there are deficiencies in the abstract
        or introduction.

    This document defines the concept of an "origin", which is often used
    as the scope of authority or privilege by user agents.  Typically,
    user agents isolate content retrieved from different origins to
    prevent malicious web site operators from interfering with the
    operation of benign web sites.  In addition to outlining the
    principles that underlie the concept of origin, this document defines
    how to determine the origin of a URI, how to serialize an origin into
    a string, and an HTTP header, named "Origin", that indicates which
    origins are associated with an HTTP request.

     Working Group Summary
        Was there anything in WG process that is worth noting? For
        example, was there controversy about particular points or
        were there decisions where the consensus was particularly
        rough?

    There was nothing particular worth noting about the WG process.
    No strong controversy for this document.
    The document received sufficient review from WG and non-WG members.
    Furthermore, reviews also covered document versions before their
    adoption by the WG or even prior to the formation of the websec WG,
    (draft-abarth-origin and draft-abarth-principles-of-origin).

     Document Quality
        Are there existing implementations of the protocol? Have a
        significant number of vendors indicated their plan to
        implement the specification? Are there any reviewers that
        merit special mention as having done a thorough review,
        e.g., one that resulted in important changes or a
        conclusion that the document had no substantive issues? If
        there was a MIB Doctor, Media Type or other expert review,
        what was its course (briefly)? In the case of a Media Type
        review, on what date was the request posted?

    The origin concept is widely used in the web browser and application
    environment to determine trusted sources. Still it may be noteworthy
    that some current implementations of the origin concept may differ
    in whether all three elements of the origin-tupel must be identical
    to constitute identity of origin. In some current browser
    implementations scheme or port (for example) may receive less weight.



Back