ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Review of draft-ietf-geopriv-http-location-delivery

2009-06-16 19:21:27
from [Thomson, Martin] [Permanent Link] 
This is probably better than my phrasing, particularly the MAY piece.

I would like to make the consequences of ignoring the "SHOULD" clear though:

   A Device that conforms to this specification MAY choose not to
   support for HTTP authentication [RFC2617] or cookies [RFC2965].
   Because the Device and the LIS may not necessarily have a prior
   relationship, the LIS SHOULD NOT require a Device to authenticate,
   either using the above HTTP authentication methods or TLS client
   authentication.  Unless all Devices that access a LIS can be expected
   to be able to authenticate in a certain fashion, denying access to
   location information could prevent a Device from using
   location-dependent services, such as emergency calling.


-----Original Message-----
From: Richard Barnes [mailto:rbarnes(_at_)bbn(_dot_)com]
Sent: Tuesday, 16 June 2009 2:35 PM
To: Thomson, Martin
Cc: Bernard Aboba; ietf(_at_)ietf(_dot_)org; Cullen Jennings;
mary(_dot_)barnes(_at_)nortel(_dot_)com
Subject: Re: Review of draft-ietf-geopriv-http-location-delivery

Martin:

Regarding #2, I would feel more comfortable with your text if it had
the
strength of a RECOMMENDATION.  Making a specific policy configuration a
  MUST NOT doesn't make sense.  Also, this discussion is missing the
possibility of client authentication in TLS, which falls under the same
recommendation.  Suggested text follows:


Old:

The LIS MUST NOT rely on device support for cookies [RFC2965] or use
Basic or Digest authentication [RFC2617].


New (Thomson):

A Device that conforms to this specification is not required to
support HTTP authentication [RFC2617] or cookies [RFC2965].  Because
the Device and LIS do not necessarily have a prior relationship and
this protocol is suited to a range of networks, there is no common
authentication mechanism that can be used for any access network.
A LIS MUST NOT deny access to location information based on the
absence of Device authentication, unless it can be guaranteed that
all Devices in the access network are aware that authentication is
required.


New (Barnes):

A Device that conforms to this specification MAY omit support for HTTP
authentication [RFC2617] or cookies [RFC2965].  Because the Device and
the LIS may not necessarily have a prior relationship, it is
RECOMMENDED
that that the LIS not require a Device to authenticate, either using
the
above HTTP authentication methods or TLS client authentication.

--Richard


------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Draft's URL missing from New Version Notifications (was: Re: [Asrg] Soundness of silence, Alessandro Vesely
Next by Date:  Re: Last Call: draft-dawkins-nomcom-openlist (Nominating Committee Process: Open Disclosure of Willing Nominees) to BCP, John C Klensin
Previous by Thread:  RE: Review of draft-ietf-geopriv-http-location-delivery, Thomson, Martin
Next by Thread:  OPSDIR review of draft-dusseault-impl-reports-02, David B Harrington
Indexes:  [Date] [Thread] [Top] [All Lists]