Roman Danyliw has entered the following ballot position for draft-ietf-alto-performance-metrics-20: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-alto-performance-metrics/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks to Vincent Roca for the SECDIR review. ** Section 1. An ALTO server may provide only a subset of the metrics described in this document. For example, those that are subject to privacy concerns should not be provided to unauthorized ALTO clients. Is this generic caution, or are any of the mentioned metrics considered privacy sensitive in some way? ** Section 2.1. Editorial. s/, and “sla”/, “sla”/ ** Examples 1 – 7 all have a their “Content-Length” set to “TBA”. Consider populating it with the real length of each of the examples. ** Nit. Example 7 (in Section 4.2.4) comes earlier than Example 6 (in Section 4.3.3) ** Section 6. In the spirit of inclusively, please rephrase “man-in-the-middle (MITM) attacks” ** Additional Security Considerations. It appears that in cases of an “sla” and certain “estimation” cost-estimates, it is recommended for a URI to be provided via the parameters field to point to additional information. -- is there any further guidance that can be provided on how this URI can be secured. Perhaps, requiring https? -- additional, I would recommend guidance to this effect (please polish the language on what exact ALTO fields are in question): When ALTO clients process the URIs in the “link” field provided in the “parameters” field of select “sla” and “estimation” cost-estimate metrics, they should heed the risks outlined in Section 7 of RFC3986. _______________________________________________ alto mailing list [email protected] https://www.ietf.org/mailman/listinfo/alto
