Early Review of draft-ietf-alto-new-transport-07
review-ietf-alto-new-transport-07-secdir-early-eastlake-2023-03-28-00

Request Review of draft-ietf-alto-new-transport
Requested revision No specific revision (document currently at 22)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2023-03-28
Requested 2023-03-13
Requested by Mohamed Boucadair
Authors Kai Gao , Roland Schott , Y. Richard Yang , Lauren Delwiche , Lachlan Keller
I-D last updated 2023-03-28
Completed reviews Httpdir Last Call review of -14 by Martin Thomson (diff)
Secdir Last Call review of -15 by Donald E. Eastlake 3rd (diff)
Genart Last Call review of -15 by Linda Dunbar (diff)
Iotdir Telechat review of -17 by Wesley Eddy (diff)
Intdir Telechat review of -16 by Bob Halley (diff)
Artart Early review of -01 by Spencer Dawkins (diff)
Secdir Early review of -07 by Donald E. Eastlake 3rd (diff)
Opsdir Early review of -07 by Sheng Jiang (diff)
Rtgdir Early review of -07 by Russ White (diff)
Tsvart Early review of -07 by Dr. Bernard D. Aboba (diff)
Artart Early review of -07 by Spencer Dawkins (diff)
Httpdir Early review of -07 by Martin Thomson (diff)
Comments 
The document is currently in the WGLC. Directorate review comments will be addressed as part of the WGLC. 

Thank you.
Assignment Reviewer Donald E. Eastlake 3rd
State Completed
Request Early review on draft-ietf-alto-new-transport by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/faTLo_F1R9_FPG03Ea8knNsiar0
Reviewed revision 07 (document currently at 22)
Result Has nits
Completed 2023-03-28
review-ietf-alto-new-transport-07-secdir-early-eastlake-2023-03-28-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  Document
editors and WG chairs should treat these comments just like any other
comments.

The summary of the review is Ready with Nits.

*Security:*

While I'm not all that into ALTO, it seems to me that this draft is all
about messages and message exchanges between ALTO entities where the
security (authentication, encryption, ...) has been specified in previous
standards track documents such as RFC 7285. There are a few additional
security considerations which seem to be well covered by the Security
Considerations section of this draft.

*Nits:*

Section 1.0, Page 4:
OLD
functioning for HTTP/1.x. TIPS also provides an ALTO server to
NEW
functioning for HTTP/1.x. TIPS also provides for an ALTO server to

Section 2.1.1, Page 8: Seems too vague. A sentence about tips-view-uri
wouldn't hurt. At the bottom it says "Use the URI as above". Which URI
above? What exactly does "use" mean?

Section 2.2, Page 9, Figure 3: Figure looks kind of incomplete. Shouldn't
there be arrows from R1 to R2/R3?

Section 2.3, Page 10: In the text on "Information Resource Directory" the
first sentence is confusing. What is the thing that is requested to
discover? Maybe you should replace "Requested" at the start of the sentence
with "Produced when a server is requested"...

Section 2.3, Page 11 at top: That's Figure 4, not 1.

Section 2.4, Page 12, 1st paragraph: I think a service runs "over" a
connection, not "inside" a connection.

Section 4.4, Page 23: Seems kind of feeble. How about, given that a
disconnect is treated as a DELETE, something like the following, which
probably implies that the server maintains a use count. (This document need
not mention such a count.)
OLD
set associated with the TIPS view. A server will not want to delete
NEW
set associated with the TIPS view. A server MUST NOT delete


Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e3e3@gmail.com