Telechat Review of draft-ietf-httpapi-deprecation-header-08
review-ietf-httpapi-deprecation-header-08-secdir-telechat-sparks-2024-09-13-00
Request | Review of | draft-ietf-httpapi-deprecation-header |
---|---|---|
Requested revision | No specific revision (document currently at 09) | |
Type | Telechat Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2024-09-17 | |
Requested | 2024-09-12 | |
Authors | Sanjay Dalal , Erik Wilde | |
I-D last updated | 2024-09-13 | |
Completed reviews |
Genart Last Call review of -06
by Robert Sparks
(diff)
Artart Last Call review of -07 by Julian Reschke (diff) Secdir Telechat review of -08 by Robert Sparks (diff) |
|
Assignment | Reviewer | Robert Sparks |
State | Completed | |
Request | Telechat review on draft-ietf-httpapi-deprecation-header by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/6oF9oS7RKmIKeaPoAfn6ShQaM5Y | |
Reviewed revision | 08 (document currently at 09) | |
Result | Has nits | |
Completed | 2024-09-13 |
review-ietf-httpapi-deprecation-header-08-secdir-telechat-sparks-2024-09-13-00
I was also the genart reviewer for this document. See that review at https://datatracker.ietf.org/doc/review-ietf-httpapi-deprecation-header-06-genart-lc-sparks-2024-08-29/. I was hoping another reviewer could make comments about the security aspects of this document, so I didn't emphasize that in my genart review. With the security lens in mind: This document provides a mechanic to transport a date and a pointer to information to the humans, ostensibly the developers, behind appllications using HTTP resources about the deprecation of those resources. The use of HTTP, and HTTPS mitigate risks to the attacks on the date and pointer themselves. There's no behavior specified that insists clients do, or don't do, something different when the deprecation date passes. There is some text that reinforces that this is information from the (operators of the) server (or should that be the administrators of the resources?) and that _servers_ shouldn't act differently, other than providing the information, because they are using the header. I can't think of anything further that could be said about the human use of the information pointed to given what the document specifies. (I've indicated "has nits" as I still think it might be possible to more clearly say "who is this for" in several places.) RjS