Last Call Review of draft-ietf-secevent-http-push-10
review-ietf-secevent-http-push-10-opsdir-lc-clarke-2020-05-14-00
Request | Review of | draft-ietf-secevent-http-push |
---|---|---|
Requested revision | No specific revision (document currently at 14) | |
Type | Last Call Review | |
Team | Ops Directorate (opsdir) | |
Deadline | 2020-05-13 | |
Requested | 2020-04-29 | |
Authors | Annabelle Backman , Michael B. Jones , Marius Scurtescu , Morteza Ansari , Anthony Nadalin | |
I-D last updated | 2020-05-14 | |
Completed reviews |
Secdir Last Call review of -10
by Valery Smyslov
(diff)
Genart Last Call review of -10 by Vijay K. Gurbani (diff) Opsdir Last Call review of -10 by Joe Clarke (diff) Secdir Telechat review of -12 by Valery Smyslov (diff) |
|
Assignment | Reviewer | Joe Clarke |
State | Completed | |
Request | Last Call review on draft-ietf-secevent-http-push by Ops Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/ops-dir/99nBWTXk8hUjARlGbOOhq9As8-g | |
Reviewed revision | 10 (document currently at 14) | |
Result | Ready | |
Completed | 2020-05-14 |
review-ietf-secevent-http-push-10-opsdir-lc-clarke-2020-05-14-00
I have been asked to review this documented on behalf of the Ops Directorate. This document describes how to use a push-based method (with HTTP POST) to deliver Security Event Tokens (SETs). Overall, I think this document is ready. It's easy to read, offers clear examples, and discusses various operational issues such as processing required and mitigation of potential DoS attacks. In my reading of the document, I did find a few nits or things I think may want a bit more attention: Section 2: The phrase "business logic" is nebulous. It may be sufficient to say, “anything beyond” the required validation steps. Then you can say further logic to processes SETs SHOULD be executed asynchronously. === Section 2.3: In your error examples, especially the second one, is HTTP 400 always the right error code? I was thinking 403 in this case. === Section 2.4: Similar to me comment above, should this table have recommended HTTP codes? I was thinking invalid_request==422, invalid_key==400, authentication_failed==403, and access_denied==403. === Section 6: Typo s/Transmistters/Transmitters/