The Atom Syndication Format
draft-ietf-atompub-format-11
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
11 | (System) | post-migration administrative database adjustment to the No Objection position for Sam Hartman |
2012-08-22
|
11 | (System) | post-migration administrative database adjustment to the No Objection position for Ted Hardie |
2012-08-22
|
11 | (System) | post-migration administrative database adjustment to the No Objection position for Russ Housley |
2005-08-23
|
11 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2005-08-17
|
11 | Amy Vezza | IESG state changed to Approved-announcement sent |
2005-08-17
|
11 | Amy Vezza | IESG has approved the document |
2005-08-17
|
11 | Amy Vezza | Closed "Approve" ballot |
2005-08-16
|
11 | Scott Hollenbeck | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Scott Hollenbeck |
2005-08-16
|
11 | Ted Hardie | [Ballot Position Update] Position for Ted Hardie has been changed to No Objection from Discuss by Ted Hardie |
2005-08-16
|
11 | (System) | New version available: draft-ietf-atompub-format-11.txt |
2005-07-14
|
11 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley |
2005-07-14
|
11 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2005-07-14
|
10 | (System) | New version available: draft-ietf-atompub-format-10.txt |
2005-07-11
|
11 | Sam Hartman | [Ballot Position Update] Position for Sam Hartman has been changed to No Objection from Discuss by Sam Hartman |
2005-07-07
|
11 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza |
2005-07-07
|
11 | (System) | [Ballot Position Update] New position, No Objection, has been recorded for Allison Mankin by IESG Secretary |
2005-07-07
|
11 | Alex Zinin | [Ballot Position Update] New position, No Objection, has been recorded for Alex Zinin by Alex Zinin |
2005-07-06
|
11 | Bert Wijnen | [Ballot Position Update] New position, No Objection, has been recorded for Bert Wijnen by Bert Wijnen |
2005-07-06
|
11 | (System) | State Changes to IESG Evaluation from IESG Evaluation - Defer by system |
2005-07-05
|
11 | Sam Hartman | [Ballot discuss] My discuss overlaps with Russ's discuss but I'm asking for more than he believes is necessary so I'm filing my own discuss. The … [Ballot discuss] My discuss overlaps with Russ's discuss but I'm asking for more than he believes is necessary so I'm filing my own discuss. The current text allows documents to be encrypted but not integrity protected. Allowing encryption without integrity protection allows encrypted documents to be modified by an attacker in ways predictable to the attacker. The only sign of modification for the algorithms being used here will be one garbled block; this can be hidden in various ways. I believe this creates a security problem because it violates the principle of least surprise. People who send encrypted content understand that if they don't sign it, someone else can send different encrypted content instead. However people assume that since an attacker cannot read their encrypted content they cannot modify it in predictable ways. Other messaging formats within the IETF do not solve this problem. Russ claims that S/MIME is vulnerable to this attack. I think PGP is vulnerable although the analysis is harder because of how PGP is used and because it uses CFB not CBC. I believe this problem is relatively easy to fix. So I believe the atom document needs to mandate a fix even though we have decided for some older formats that the problem didn't need to be fixed there. There seem to be three possible solutions all of reasonable complexity given that encryption is supported at all: * Require signatures whenever encryption is used. The signature needs to be on the plaintext not the ciphertext. It is OK for the signature to be made with a self-signed certificate or fresh public key; the verifier need only verify the signature not (in this instance) the certificate. * Allow the document to use the xmldsig MAC operation. The key management needs to be the same as for the encryption. The mac needs to be of the plaintext not ciphertext. * Include a hash of the plaintext of the document within the document. Minimal algorithm negotiation is needed. The first option is probably easiest but will make anonymous encryption hard. The second option is in some sense the best but involves the most complexity. The third option seems relatively easy to implement although a bit tricky to specify. The third option allows for anonymous encryption like the second. |
2005-07-05
|
11 | Sam Hartman | [Ballot Position Update] New position, Discuss, has been recorded for Sam Hartman by Sam Hartman |
2005-06-30
|
11 | Russ Housley | [Ballot discuss] Section 5 does not provide sufficient detail for interoperability. Unfortunately, the complexity of XML and the variety of contexts in which … [Ballot discuss] Section 5 does not provide sufficient detail for interoperability. Unfortunately, the complexity of XML and the variety of contexts in which it is used made it impossible for the XMLDSIG WG to come up with one set of canonicalization rules that are "distinguished." By distinguished, I mean that there is exactly one way to represent the XML object. There are two canonicalization rule sets: the Canonical XML and the Exclusive XML Canonicalization. Specify which one is mandatory-to-implement. Section 5 should tell the reader when the use of digital signatures and encryption are desirable. Also, I would like to see mandatory- to-implement algorithms specified. If appropriate, use MUST- and SHOULD+ as they were defined by the IPsec WG to tell implementors about future algorithm requirements. In section 5, please state the order of the nesting if both digital signature and encryption are used. I believe that signing the plaintext is the correct ordering in this situation. Since XML encryption does not provide integrity, it is important to use XML digital signature whenever encryption is used. When a digital signature algorithm is used, this should be straightforward; however, the XML digital signature specification also supports message authentication codes (MACs). When MACs are used, the symmetric keys for the encryption and the MAC calculation need to use the same key management technique. When digital signatures are used, the recipient must have a way to verify the public key of the signer. This is usually done with a certificate. Section 8.5 needs to be expanded. When digital signature or encryption are used, what threats do they protect against? |
2005-06-30
|
11 | Russ Housley | [Ballot Position Update] New position, Discuss, has been recorded for Russ Housley by Russ Housley |
2005-06-24
|
11 | Ted Hardie | [Ballot discuss] There are several places in the document where the text talks about dereferencing IRIs (see, for example 4.2.4). While I believe I understand … [Ballot discuss] There are several places in the document where the text talks about dereferencing IRIs (see, for example 4.2.4). While I believe I understand the shorthand here, we need to be somewhat careful in how we describe this. For HTTP, as an example, any IRI that did not also conform to the URI spec (that is to RFC 3986/STD 66) would have to go through the mapping steps in RFC 3987, section 3.1, before dereferencing. This is true for any protocol which does not support IRIs natively. I believe that this needs to be highlighted in the document and the text on dereferencing shifted to "dereferencing the URI". Please understand that I have no objections to the use of IRIs as identifiers here, and I believe that the IRI comparison rules are fine. But for protocol processing, which is what "dereferencing" will imply to most readers, current schemes use URIs as described in 3986; we need to make that clear so that the work in 3987 on how to do the mapping gets invoked correctly. |
2005-06-24
|
11 | (System) | Removed from agenda for telechat - 2005-06-23 |
2005-06-23
|
11 | Russ Housley | State Changes to IESG Evaluation - Defer from IESG Evaluation by Russ Housley |
2005-06-23
|
11 | Mark Townsley | [Ballot Position Update] New position, No Objection, has been recorded for Mark Townsley by Mark Townsley |
2005-06-23
|
11 | Brian Carpenter | [Ballot Position Update] New position, No Objection, has been recorded for Brian Carpenter by Brian Carpenter |
2005-06-22
|
11 | David Kessens | [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens |
2005-06-22
|
11 | Jon Peterson | [Ballot Position Update] New position, No Objection, has been recorded for Jon Peterson by Jon Peterson |
2005-06-22
|
11 | Bill Fenner | [Ballot Position Update] New position, No Objection, has been recorded for Bill Fenner by Bill Fenner |
2005-06-21
|
11 | Ted Hardie | [Ballot discuss] There are several places in the document where the text talks about dereferencing IRIs (see, for example 4.2.4). While I believe I understand … [Ballot discuss] There are several places in the document where the text talks about dereferencing IRIs (see, for example 4.2.4). While I believe I understand the shorthand here, we need to be somewhat careful in how we describe this. For HTTP, as an example, any IRI that did not also conform to the URI spec (that is to RFC 3986/STD 66) would have to go through the mapping steps in RFC 3987, section 3.1, before dereferencing. This is true for any scheme which does not support IRIs natively. I believe that this needs to be highlighted in the document and the text on dereferencing shifted to "dereferencing the URI". Please understand that I have no objections to the use of IRIs as identifiers here, and I believe that the IRI comparison rules are fine. But for protocol processing, which is what "dereferencing" will imply to most readers, current schemes use URIs as described in 3986; we need to make that clear so that the work in 3987 on how to do the mapping gets invoked correctly. |
2005-06-21
|
11 | Ted Hardie | [Ballot discuss] There are several places in the document where the text talks about dereferencing IRIs (see, for example 4.2.4). While I believe I understand … [Ballot discuss] There are several places in the document where the text talks about dereferencing IRIs (see, for example 4.2.4). While I believe I understand the shorthand here, we need to be somewhat careful in how we describe this. For HTTP, as an example, any IRI that did not also conform to the URI spec (that is to RFC 3986/STD 66) would have to go through the mapping steps in RFC 3987, section 3.1, before dereferencing. This is true for any scheme which does not support IRIs natively. I believe that this needs to be highlighted in the document and the text on dereferencing shifted to "dereferencing the URI". Please understand that I have no objections to the use of IRIs as identifiers here, but for protocol processing, current schemes use URIs as described in 3986; we need to make that clear so that the work in 3987 on how to do the mapping gets invoked correctly. |
2005-06-21
|
11 | Ted Hardie | [Ballot Position Update] Position for Ted Hardie has been changed to Discuss from Undefined by Ted Hardie |
2005-06-21
|
11 | Ted Hardie | [Ballot comment] The document says: 3.1.1 The "type" Attribute Text constructs MAY have a "type" attribute. When present, the value MUST be one … [Ballot comment] The document says: 3.1.1 The "type" Attribute Text constructs MAY have a "type" attribute. When present, the value MUST be one of "text", "html" or "xhtml". If the "type" attribute is not provided, Atom Processors MUST behave as though it were present with a value of "text". MIME media types [MIMEREG] MUST NOT be used as values for the "type" attribute. and Later: 4.1.3.1 The "type" attribute On the atom:content element, the value of the "type" attribute MAY be one of "text", "html", or "xhtml". Failing that, it MUST be a MIME media type, but MUST NOT be a composite type (see Section 4.2.6 of [MIMEREG]). If the type attribute is not provided, Atom Processors MUST behave as though it were present with a value of "text". While I understand that the 4.1.3.1 text applies to atom:content rather than more generally, given the MUST NOT vs. MUST here I strongly encourage some further efforts to clarify this apparent contradiction. The first could have a forward pointer to the second as a note, the second to the first as a note, or the names could be disambiguated in some way. I don't see this as blocking, but I believe it would be very useful to get this somewhat clearer. |
2005-06-21
|
11 | Ted Hardie | [Ballot Position Update] New position, Undefined, has been recorded for Ted Hardie by Ted Hardie |
2005-06-21
|
11 | Margaret Cullen | [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman |
2005-06-09
|
11 | Scott Hollenbeck | [Ballot Position Update] New position, Yes, has been recorded for Scott Hollenbeck |
2005-06-09
|
11 | Scott Hollenbeck | Ballot has been issued by Scott Hollenbeck |
2005-06-09
|
11 | Scott Hollenbeck | Created "Approve" ballot |
2005-06-09
|
11 | Scott Hollenbeck | Placed on agenda for telechat - 2005-06-23 by Scott Hollenbeck |
2005-06-09
|
11 | Scott Hollenbeck | State Changes to IESG Evaluation from Waiting for AD Go-Ahead::AD Followup by Scott Hollenbeck |
2005-06-08
|
11 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2005-06-08
|
09 | (System) | New version available: draft-ietf-atompub-format-09.txt |
2005-05-05
|
11 | Scott Hollenbeck | State Changes to Waiting for AD Go-Ahead::Revised ID Needed from Waiting for AD Go-Ahead by Scott Hollenbeck |
2005-05-04
|
11 | (System) | State has been changed to Waiting for AD Go-Ahead from In Last Call by system |
2005-04-28
|
11 | Michelle Cotton | IANA Last Call Comments: Upon approval of this document the IANA will register the MIME media type application/atom+xml. A Registry of Link Relations will be … IANA Last Call Comments: Upon approval of this document the IANA will register the MIME media type application/atom+xml. A Registry of Link Relations will be created and will include the five initial values described in this document. |
2005-04-20
|
11 | Amy Vezza | Last call sent |
2005-04-20
|
11 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2005-04-20
|
11 | Scott Hollenbeck | State Changes to Last Call Requested from AD Evaluation::AD Followup by Scott Hollenbeck |
2005-04-20
|
11 | Scott Hollenbeck | Last Call was requested by Scott Hollenbeck |
2005-04-20
|
11 | (System) | Ballot writeup text was added |
2005-04-20
|
11 | (System) | Last call text was added |
2005-04-20
|
11 | (System) | Ballot approval text was added |
2005-04-20
|
11 | Scott Hollenbeck | Some additional words are needed in the IANA Considerations section to help guide the IESG in the attribute value approval process, but that can wait … Some additional words are needed in the IANA Considerations section to help guide the IESG in the attribute value approval process, but that can wait until after IETF last call. Explicit mention of internationalization considerations might be needed, but I'll leave that to see what the community has to say. |
2005-04-19
|
11 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2005-04-19
|
08 | (System) | New version available: draft-ietf-atompub-format-08.txt |
2005-04-12
|
11 | Scott Hollenbeck | State Changes to AD Evaluation::Revised ID Needed from AD Evaluation by Scott Hollenbeck |
2005-04-05
|
11 | Scott Hollenbeck | [Note]: 'Paul Hoffman is the shepherd for the atompub working group.' added by Scott Hollenbeck |
2005-04-05
|
11 | Scott Hollenbeck | AD Review Comments/Questions: The document includes an informative RELAX NG schema and several examples. What has been done to confirm that the schema is free … AD Review Comments/Questions: The document includes an informative RELAX NG schema and several examples. What has been done to confirm that the schema is free of errors and that all of the examples given in the document are valid according to the schema? (I could check an XML Schema myself, but I don't have the tools I need to check RELAX NG.) Sections 1.1, 1.2: RFC 3688/BCP 81 describes IETF practice for naming XML namespaces. Why are namespace URIs (such as http://purl.org) that don't conform to this practice being used? Section 1.2: please reference draft-crocker-abnf-rfc2234bis-00.txt instead of RFC 2234 and confirm that everything that was valid before is still valid. The IESG approved this document as a Draft Standard last week. Section 2 describes a requirement for well-formedness, but it doesn't mention validity. I suspect that validity isn't a requirement given that the RELAX NG schema is informative, but it would be better if a specific statement were included to note that validity is not a requirement. Section 4: RFC 2045 is referenced. 2045 is on its way to being obsoleted by draft-freed-mime-p4 (in the RFC Editor queue) and draft-freed-media-type-reg (in last call). Can the more recent documents be referenced instead of 2045? The MIME media type registration template included in section 7 MUST be submitted to the ietf-types list (ietf-types@alvestrand.no) for review. A two-week review period is standard for requests to register new types in the standards tree. Please see the list archives [1] for samples if help is needed in crafting a review request and please send the request ASAP. Section 7.1: what process is the IESG supposed to use to review registration requests? Please see section 2 of RFC 2434/BCP 26 for mechanisms that might be used and please specify one in the document. -Scott- [1] http://eikenes.alvestrand.no/pipermail/ietf-types/ |
2005-04-05
|
11 | Scott Hollenbeck | State Changes to AD Evaluation from Publication Requested by Scott Hollenbeck |
2005-04-05
|
11 | Scott Hollenbeck | Draft Added by Scott Hollenbeck in state Publication Requested |
2005-04-04
|
07 | (System) | New version available: draft-ietf-atompub-format-07.txt |
2005-03-15
|
06 | (System) | New version available: draft-ietf-atompub-format-06.txt |
2005-01-27
|
05 | (System) | New version available: draft-ietf-atompub-format-05.txt |
2005-01-11
|
04 | (System) | New version available: draft-ietf-atompub-format-04.txt |
2004-10-21
|
03 | (System) | New version available: draft-ietf-atompub-format-03.txt |
2004-09-07
|
02 | (System) | New version available: draft-ietf-atompub-format-02.txt |
2004-07-19
|
01 | (System) | New version available: draft-ietf-atompub-format-01.txt |
2004-07-09
|
00 | (System) | New version available: draft-ietf-atompub-format-00.txt |