Skip to main content

Telechat Review of draft-ietf-httpapi-deprecation-header-08
review-ietf-httpapi-deprecation-header-08-secdir-telechat-sparks-2024-09-13-00

Request Review of draft-ietf-httpapi-deprecation-header
Requested revision No specific revision (document currently at 09)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2024-09-17
Requested 2024-09-12
Authors Sanjay Dalal , Erik Wilde
I-D last updated 2024-09-13
Completed reviews Genart Last Call review of -06 by Robert Sparks (diff)
Artart Last Call review of -07 by Julian Reschke (diff)
Secdir Telechat review of -08 by Robert Sparks (diff)
Assignment Reviewer Robert Sparks
State Completed
Request Telechat review on draft-ietf-httpapi-deprecation-header by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/6oF9oS7RKmIKeaPoAfn6ShQaM5Y
Reviewed revision 08 (document currently at 09)
Result Has nits
Completed 2024-09-13
review-ietf-httpapi-deprecation-header-08-secdir-telechat-sparks-2024-09-13-00
I was also the genart reviewer for this document. See that review at
https://datatracker.ietf.org/doc/review-ietf-httpapi-deprecation-header-06-genart-lc-sparks-2024-08-29/.

I was hoping another reviewer could make comments about the security aspects of
this document, so I didn't emphasize that in my genart review. With the
security lens in mind:

This document provides a mechanic to transport a date and a pointer to
information to the humans, ostensibly the developers, behind appllications
using HTTP resources about the deprecation of those resources. The use of HTTP,
and HTTPS mitigate risks to the attacks on the date and pointer themselves.

There's no behavior specified that insists clients do, or don't do, something
different when the deprecation date passes. There is some text that reinforces
that this is information from the (operators of the) server (or should that be
the administrators of the resources?) and that _servers_ shouldn't act
differently, other than providing the information, because they are using the
header.

I can't think of anything further that could be said about the human use of the
information pointed to given what the document specifies.

(I've indicated "has nits" as I still think it might be possible to more
clearly say "who is this for" in several places.)

RjS