Dear authors, I have read draft-ietf-websec-framework-reqs-00. I think this draft is a very useful document, clearly written, proposing a common framework expressing security constraints on HTTP interactions. To further improve the document, you could consider the following comments.
1. ------------ Section 1. Introduction In the introduction, people might confuse why the "Gazelle Web Browser[27]" is classified in the category "proposals aimed at addressing other facets of inherent web vulnerabilities". A more detailed description would make it easier for readers to understand. 2. ------------ Section 4. 1. Policy conveyance The text could give more reasons for "It may be reasonable to device distinct sets of headers...". How about explaining what is the result if we could not distinguish in-band and out-of-band signals in the NOTE? 3. ------------ Section 4. 3. Configurability It's not obvious what are "the simple cases, like those mentioned above". So some exemples for both "the simple cases" and the "fine-grained multi-faceted policies" might make it more easy for readers to understand. 4. ------------ Section 7. Detailed Functional Requirements In the overall functional requirement categories, bullet NO. 4 could be renamed "Performance and evaluation mechanism", which would do better in minimizing performance impact. ------------ Thanks again for your work. Best wishes, Tianhui Meng
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
