Skip to main content

Last Call Review of draft-ietf-httpapi-deprecation-header-06
review-ietf-httpapi-deprecation-header-06-genart-lc-sparks-2024-08-29-00

Request Review of draft-ietf-httpapi-deprecation-header
Requested revision No specific revision (document currently at 07)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2024-09-06
Requested 2024-08-23
Authors Sanjay Dalal , Erik Wilde
I-D last updated 2024-08-29
Completed reviews Genart Last Call review of -06 by Robert Sparks (diff)
Assignment Reviewer Robert Sparks
State Completed
Request Last Call review on draft-ietf-httpapi-deprecation-header by General Area Review Team (Gen-ART) Assigned
Posted at https://mailarchive.ietf.org/arch/msg/gen-art/k9AI4qpTnBqE2PJLdxWEJDJco7w
Reviewed revision 06 (document currently at 07)
Result Almost ready
Completed 2024-08-29
review-ietf-httpapi-deprecation-header-06-genart-lc-sparks-2024-08-29-00
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

<https://wiki.ietf.org/en/group/gen/GenArtFAQ>.

Document: draft-ietf-httpapi-deprecation-header-06
Reviewer: Robert Sparks
Review Date: 2024-08-29
IETF LC End Date: 2024-09-06
IESG Telechat date: Not scheduled for a telechat

Summary:Almost Ready for publication as a Proposed Standard (?) RFC

Why is this standards track? The shepherd's writeup explanation of "that makes
sense since it defines a new HTTP header field" seems at odds with RFC8594
being Informational. Should that have been standards track?

Generally, the document would benefit from an editorial pass further clarifying
when it is talking about an application or a developer. There are many points
where it says application or client when it means developer. Some key
instances: * Introduction: "informs applications about the risk" * Security
considerations "Applications consuming the resource SHOULD check the referred
resource documentation to verify authenticity and accuracy." * Security
considerations "Therefore, applications consuming the resource SHOULD, if
possible, consult the resource developer to discuss potential impact due to
deprecation and plan for possible transition to a recommended resource(s)"

There is a contradiction between section 5's "Deprecated resources SHOULD keep
functioning as before" and the Security Consideration's "Deprecated resources
MUST function (almost) as before,"

In both cases, "function as before" is not really what you mean. "function as
they would have without sending the deprecation header" is closer. As written,
(particularly if the MUST above is what you intend), this puts an unverifiable
requirement on the resource. I suggest changing the language similar to what I
suggested you mean. Or, better, step back and reformulate this as a simple
statement that the presence of a Deprecation header is not meant to signal a
change in the meaning or function of a resource in the context of this
response, and avoid using 2119 keywords.

I realize that Appendix A won't appear in the resulting RFC, but the drafts
will still be in the archive. Calling an internet draft an implementation and
an organization is just strange. Revising the draft to use a separate section
(or just a sentence) to say draft-loffredo-regex-rdap-jcard-deprecation is a
specification that says to use this mechanic would make more sense than listing
it as an implementation.

Since the WG felt using structured fields was important for this header,
consider creating a Structured-Sunset header field.