Last Call Review of draft-ietf-httpbis-p2-semantics-24
review-ietf-httpbis-p2-semantics-24-genart-lc-moriarty-2013-11-18-00

Request Review of draft-ietf-httpbis-p2-semantics
Requested rev. no specific revision (document currently at 26)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2013-11-04
Requested 2013-10-21
Draft last updated 2013-11-18
Completed reviews Genart Last Call review of -24 by Kathleen Moriarty (diff)
Genart Telechat review of -25 by Kathleen Moriarty (diff)
Assignment Reviewer Kathleen Moriarty
State Completed
Review review-ietf-httpbis-p2-semantics-24-genart-lc-moriarty-2013-11-18
Reviewed rev. 24 (document currently at 26)
Review result Ready
Review completed: 2013-11-18

Review
review-ietf-httpbis-p2-semantics-24-genart-lc-moriarty-2013-11-18

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at

<

http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-httpbis-p2-semantics-24
Reviewer: Kathleen Moriarty
Review Date: November 18, 2013
IETF LC End Date: End of November
IESG Telechat date: (if known)

Summary:  The document has a number of run-on sentences that should be fixed.  I also found some security considerations that should be added to the document or referenced in other documents if they have been addressed.

Major issues:

Minor issues:  Security Considerations

Section 9.3:  You may want to include information that informs developers and users of SQL injection attacks.  Fields are still included in some URIs that link you to pages directly that contain personal information using consistent identifiers.  It would be helpful as this is still one of the biggest attack vectors.  A quick search on SQL injection URL will provide additional information for inclusion in the write up.  You mention GET-based forms in section 9.3, but it doesn't mention SQL injection attacks and information in the URIs.  Since this is so prevalent still, I think it is important to call out explicitly.

Section 9.4: HTTP User-Agent strings are also used within enterprise at a firewall or by  web servers to prevent the use of outdated browsers, ones with known security issues.  Since this section informs of the negative uses, this one would be important to include to provide a broader picture of how they may be used in a security context.  

User-agent strings are also used in threat detection as there may be a modification to a User-Agent string that helps incident response teams identify malware or comprised browsers.

Section 9 should also cover Man-in-the-middle and session hijacking attacks or point to a security consideration section that covers transport security considerations (authentication, encryption, logging, etc.).  If that is covered in another document, please state that and provide a link.  It would be worth including a reference within the introduction of 9 to Part 1 on Messaging Security Considerations, draft-ietf-httpbis-p1-messaging-17 as well.


Nits/editorial comments:

Section 1, second sentence:
No comma necessary before "via"
HTTP provides a uniform interface for interacting with a resource
   (Section 2), regardless of its type, nature, or implementation via
   the manipulation and transfer of representations

Section 3, paragraph 1, consider breaking the first sentence into two.

Second paragraph, break into multiple sentences.

Section 3.1.1.3:
Remove unnecessary comma after parse, change from:
An HTTP
   sender MAY generate, and a recipient MUST be able to parse, line
   breaks in text media that consist of CRLF, bare CR, or bare LF.
To: An HTTP
   sender MAY generate, and a recipient MUST be able to parse line
   breaks in text media that consist of CRLF, bare CR, or bare LF.

Section 3.1.4.1
Break #4 down into multiple sentences or a structure that is easier to parse.

Section 3.1.4.2: Several sentences are way too long, please consider breaking them into multiple sentences.

Section 3.3, paragraph 2, Break the second sentence into multiple sentences.  This could be listed as two examples without the comparison statement.

Section 3.4, last sentence,
While I appreciate the reference and found it humorous, this reference may not be easily understood by an international audience.  I suggest that you explain the recommendation in plain text, followed by the reference to reach all audiences.

Section 3.4.1, please break the last sentence into multiple sentences.

Section 3.4.2, please break the second to last paragraph into multiple sentences.

Section 4 starts using the word ought.  SHOULD would be more appropriate if that is what is intended as the statements refer to IANA actions and would be better read with well-defined terms.

Section 4.2.2, please break the second to last sentence into multiple sentences.

Section 4.3.4, several run-on sentences should be broken into multiple sentences. 

Section 4.3.5, please break the 3rd to last paragraph into multiple sentences.

Second to last and the last paragraph on page 35 should be broken into multiple sentences.

Note at end of page 38 should be broken into multiple sentences.

Last sentence on page 42 should be broken into multiple sentences.

Section 6.3.1, remove carriage return after "The" in first line.

Last sentence of page 53, please break into multiple sentences.

6.4.1.  First sentence should be broken into a couple.

6.4.4 Use of word 'ought' sounds odd in this sentence:
In order to satisfy the
   original request, a user agent ought to perform a retrieval request
   using the Location URI (a GET or HEAD request if using HTTP), which
   can itself be redirected further, and present the eventual result as
   an answer to the original request.
How about this instead:
In order to satisfy the
   original request, a user agent can perform a retrieval request
   using the Location URI (a GET or HEAD request if using HTTP), which
   can itself be redirected further, and present the eventual result as
   an answer to the original request.

Section 7.1.4: Please break the first sentence of the second and last paragraphs into multiple sentences. 


Section 9.6 has a few run-on sentences, please break them up --  First sentence of 4th paragraph for instance.

Last paragraph: I'd like to see a SHOULD in the first sentence to make this stronger, otherwise, there is no hope it will happen.  I'm not even sure how the user could be informed of loss of privacy considerations if it is not built in, this is a tough approach and I don't see it being effective for most users.  If this is configurable at the time of browser installation, would you recommend that there is a series of prompts that inform the user about each choice or did you have something else in mind?  An example may help here to actually see something happen as a result of the recommendation.


Thank you,
Kathleen