headers
Iñaki Baz Castillo | 5 Jan 2010 13:15
Gravatar

Re: SUBSCRIBE for xcap-diff event sent by the presence server to the XCAP server

El Lunes, 28 de Diciembre de 2009, Iñaki Baz Castillo escribió:
> I would like to understand how such SUBSCRIBE sent by the presence server 
> looks. The above draft just shows examples when a SIP user send such
>  SUBSCRIBE  but no one example when the subscriber is the presence server.

Hi, it's strange for me not to see questions/responses in this maillist, so 
perhaps I'm wrong and the purpose of this maillist is to announce drafs/RFC's 
and OMA/IETF liaisons.

Please, could I know if this maillist is appropriate for asking SIMPLE related 
questions? or should I ask in sip-implementors?

Thanks a lot.

--

-- 
Iñaki Baz Castillo <ibc <at> aliax.net>
_______________________________________________
Simple mailing list
Simple <at> ietf.org
https://www.ietf.org/mailman/listinfo/simple
Permalink | Reply | 1 comment |
headers
Ben Campbell | 5 Jan 2010 15:23
Favicon

Re: SUBSCRIBE for xcap-diff event sent by the presence server to the XCAP server

<as chair>

Actually, this list is for the purpose of discussing SIMPLE standards work--that is, drafts, RFCs,
liaisons, etc. But since xcap-diff is relatively new, it does not hurt to ask clarification questions.
It's up to individuals to decide how to respond. SIP-implementors may be another good place to ask.

Also, keep in mind that lots of people are just getting back from holiday, so responses may be slower than usual.

Thanks!

Ben.

On Jan 5, 2010, at 6:15 AM, Iñaki Baz Castillo wrote:

> El Lunes, 28 de Diciembre de 2009, Iñaki Baz Castillo escribió:
>> I would like to understand how such SUBSCRIBE sent by the presence server 
>> looks. The above draft just shows examples when a SIP user send such
>> SUBSCRIBE  but no one example when the subscriber is the presence server.
> 
> Hi, it's strange for me not to see questions/responses in this maillist, so 
> perhaps I'm wrong and the purpose of this maillist is to announce drafs/RFC's 
> and OMA/IETF liaisons.
> 
> Please, could I know if this maillist is appropriate for asking SIMPLE related 
> questions? or should I ask in sip-implementors?
> 
> Thanks a lot.
> 
> 
> --
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jari Urpalainen | 7 Jan 2010 12:15
Picon

Re: SUBSCRIBE for xcap-diff event sent by the presence server to the XCAP server

On Mon, 2009-12-28 at 00:36 +0100, ext Iñaki Baz Castillo wrote:
> Hi, the way a presence server receives notifications for changes in XCAP 
> documents (so it can notify the watchers) is by subscribing to the XCAP server 
> for the event "xcap-diff" as specified in:
>   http://tools.ietf.org/html/draft-ietf-sip-xcapevent
> 
> I would like to understand how such SUBSCRIBE sent by the presence server 
> looks. The above draft just shows examples when a SIP user send such SUBSCRIBE 
> but no one example when the subscriber is the presence server.
a presence server can be a "normal" xcap-diff client. Acls though would
be quite different than with the typical use-case.   

> 
> For example, let's imagine a simplified case in which there are just two XCAP 
> applications ("pres-rules" and "resource-lists").
> 
> The presence server should subscribe to users documents. AFAIK the presence 
> server would send a SUBSCRIBE as follows:
> 
> 
>    SUBSCRIBE sip:xcap-server <at> domain.org SIP/2.0
>    From: sip:presence-server <at> domain.org
>    Accept: application/xcap-diff+xml
>    Event: xcap-diff; diff-processing=no-patching
>    Content-Type: application/resource-lists+xml
> 
>    <?xml version="1.0" encoding="UTF-8"?>
>    <resource-lists xmlns="urn:ietf:params:xml:ns:resource-lists">
>      <list>
>        <entry uri="pres-users/users/" />
(Continue reading)

Permalink | Reply | 5 comments |
headers
Adrian Georgescu | 7 Jan 2010 12:20
Favicon
Gravatar

Re: SUBSCRIBE for xcap-diff event sent by the presence server to the XCAP server


- Could the notification from the XCAP server to the presence server work with
PUBLISH rather than SUBSCRIBE & NOTIFY? This is: when a XCAP document is
modified the XCAP server sends a PUBLISH to the presence server with xcap-diff
body. Does it make sense?
Sure, but i cannot see any actual benefit


The benefit would be that you (as an XCAP server) can send a publish once to the Presence Agent when a document has changed rather than using Subscribe/Notify which requires maintaining a continuous subscription to get an update.

Adrian

_______________________________________________
Simple mailing list
Simple <at> ietf.org
https://www.ietf.org/mailman/listinfo/simple
Permalink | Reply | 4 comments |
headers
Iñaki Baz Castillo | 7 Jan 2010 13:17
Gravatar

Re: SUBSCRIBE for xcap-diff event sent by the presence server to the XCAP server

El Jueves, 7 de Enero de 2010, Adrian Georgescu escribió:
> The benefit would be that you (as an XCAP server) can send a publish once
>  to the Presence Agent when a document has changed rather than using
>  Subscribe/Notify which requires maintaining a continuous subscription to
>  get an update.

Yes I agree. Sending a PUBLISH is more or less "easy" but building a complete 
presence server just to handle subscription for presence server(s) is more 
complex.

The fact is that I don't want that my XCAP server becomes a SIP presence 
server. Instead it could publish xca-diff status to the *real* SIP presence 
server, and this last would also manage the xcap-diff subscriptions from real 
clients.

Is this design wrong for some reason?

Thanks a lot. 

--

-- 
Iñaki Baz Castillo <ibc <at> aliax.net>
_______________________________________________
Simple mailing list
Simple <at> ietf.org
https://www.ietf.org/mailman/listinfo/simple
Permalink | Reply | 3 comments |
headers
Adrian Georgescu | 7 Jan 2010 13:19
Favicon
Gravatar

Re: SUBSCRIBE for xcap-diff event sent by the presence server to the XCAP server

For me this is the right design and this is how we are implementing it  
in OpenSIPS/OpenXCAP tandem.

Adrian

On Jan 7, 2010, at 1:17 PM, Iñaki Baz Castillo wrote:

> El Jueves, 7 de Enero de 2010, Adrian Georgescu escribió:
>> The benefit would be that you (as an XCAP server) can send a  
>> publish once
>> to the Presence Agent when a document has changed rather than using
>> Subscribe/Notify which requires maintaining a continuous  
>> subscription to
>> get an update.
>
> Yes I agree. Sending a PUBLISH is more or less "easy" but building a  
> complete
> presence server just to handle subscription for presence server(s)  
> is more
> complex.
>
> The fact is that I don't want that my XCAP server becomes a SIP  
> presence
> server. Instead it could publish xca-diff status to the *real* SIP  
> presence
> server, and this last would also manage the xcap-diff subscriptions  
> from real
> clients.
>
> Is this design wrong for some reason?
>
> Thanks a lot.
>
>
> -- 
> Iñaki Baz Castillo <ibc <at> aliax.net>
> _______________________________________________
> Simple mailing list
> Simple <at> ietf.org
> https://www.ietf.org/mailman/listinfo/simple
Permalink | Reply | 2 comments |
headers
Iñaki Baz Castillo | 7 Jan 2010 13:33
Gravatar

Re: SUBSCRIBE for xcap-diff event sent by the presence server to the XCAP server

El Jueves, 7 de Enero de 2010, Adrian Georgescu escribió:
> For me this is the right design and this is how we are implementing it  
> in OpenSIPS/OpenXCAP tandem.

Is there any limitation in this approach? This is:

Theorically the presence server subscribes to the XCAP server and receives 
NOTIFY with xcap-diff. 
Also the clients subscribe to the XCAP server for xcap-diff event (to know 
changes in their documents).

Instead of that, the client would subscribe to the presence server for xcap-
diff event and the XCAP server would publish xcap-diff to the presence server, 
so this last would notify the users.

IMHO there is no limitation and we avoid building a complex presence server on 
top of a XCAP server (HTTP server, not SIP!). :)

Thanks.

--

-- 
Iñaki Baz Castillo <ibc <at> aliax.net>
Permalink | Reply | 1 comment |
headers
Adrian Georgescu | 7 Jan 2010 13:35
Favicon
Gravatar

Re: SUBSCRIBE for xcap-diff event sent by the presence server to the XCAP server


On Jan 7, 2010, at 1:33 PM, Iñaki Baz Castillo wrote:

> El Jueves, 7 de Enero de 2010, Adrian Georgescu escribió:
>> For me this is the right design and this is how we are implementing  
>> it
>> in OpenSIPS/OpenXCAP tandem.
>
> Is there any limitation in this approach? This is:
>
> Theorically the presence server subscribes to the XCAP server and  
> receives
> NOTIFY with xcap-diff.
> Also the clients subscribe to the XCAP server for xcap-diff event  
> (to know
> changes in their documents).
>
> Instead of that, the client would subscribe to the presence server  
> for xcap-
> diff event and the XCAP server would publish xcap-diff to the  
> presence server,
> so this last would notify the users.

This last paragraph is exactly what I meant.

Adrian
Permalink | Reply | 0 comments |
headers
Christer Holmberg | 11 Jan 2010 12:59
Picon
Favicon

Re: WGLC of msrp-acm and msrp-sessionmatch


Hi Ben,

Sorry for the delay of my reply. I have been on xmas vacation for a few weeks.

Comments inline. 

>-------------------- WGLC review of draft-ietf-simple-msrp-acm-03:
> 
>** Substantive:
> 
>-- Section 3:
> 
>I'd like to see something to the effect of "Support of this 
>specification is optional for MSRP user agents in general. 
>User Agents that are likely to be deployed without MSRP 
>Relays SHOULD support this specification in order to improve 
>the odds of being able to communicate across NATs."

I agree it would be good to add something like that.

But, I think it would be useful even for MSRP user agents WITH relays to implement it, in case the terminating
UA is behind a NAT, but does not use a relay and therefor needs to be active.

So, maybe something like:

"Support of this specification is optional for MSRP user agents in general. User Agents that are likely to
be deployed in networks where User Agents need to establish the TCP connections in order to traverse NATs
SHOULD support this specification in order to improve the odds of being able to communicate across NATs."

-------------

>-- Section 4.2, 4th paragraph from end:
> 
>I'm not entirely sure it's safe to assume that the presence 
>or absence of a NAT on the signaling path always indicates 
>the same for the media path. For example, there could be a 
>SIP proxy _inside_ the NAT.

It is true that media may not always be NATed (I personally think it mostly is the case, though), but I still
think it's good to make that assumption when setting the a=setup value.

Maybe the paragraph could be re-written to:

"The UA can determine whether SIP  whether the SIP signaling will be NATed by inspecting the SIP Via header in the
200 (OK) response if the initial REGISTER request, by comparing the IP addresses in the Via sent-by and
received parameters.  
If these are not the same then the UA can determine that there is a NAT in the path. Eventhough the media
transport might not
be NATed, it is safe to assume that it will, and set the a=setup attribute accordingly."

-------------

>-- Section 4.3:
> 
>Did we ever close on the COMEDIA-TLS fingerprint 
>requirement, and how that could be a problem in the presence 
>of relays?

I am not sure we wrote down anything.

However, my suggestion would be to describe the problem in section 4.3, ie that there is currently no
mechanism to provide to/retreive from fingerprints to an MSRP relay, and that the usage of COMEDIA-TLS in
networks with relays is outside the scope of the specification.

We can then see whether people have interest to create a separate milestone to look into the issue, because I
am sure it will require some work.

-------------

>-- Section 4.4, third paragraph (NOTE about ICE)
> 
>Is the note really needed? This draft is not about using ICE per se.

I can remove it.

-------------

> -- Section 5:
> 
>Does it make sense to use STUN for this in a TCP stream?

The idea is simply to not disallow something which is defined in ICE.

>Do we need some statement about not sending a keepalive 
>mid-chunk? (I'm not sure why one would need to, but doing so 
>is likely to corrupt a message.)

I don't think the mid-chunk issue is specific to MSRP, so I don't think we need to say anything.

>Also, does the default Tr value in ICE apply to TCP?

I don't know, but I have made the assumption that we don't need to start defining MSRP specific ICE stuff. If
there is a need for that, I would suggest we do it in a separate draft.

-------------

>-- Section 6:
>
>Have we thought through whether changing the active party has 
>any impact on TLS security? Does this interact with key 
>fingerprints in the signaling channel? (I'm not saying that I 
>know it does--I just want to make sure we've thought about it.)

I don't think there should be any impacts, because now MSRP will be alligned with other comedia usages.

-------------

>** Editorial and Nits:
> 
>-- General:
> 
>Please expand non-common-knowledge acronyms on first mention. 

I'll look into that.

-------------

>-- section 1, first two paragraphs:
> 
>These would be easier to read if the references were 
>structured as truly parenthetical rather than as bona-fide 
>parts of the sentence. For example, "The Message Session 
>Relay Protocol (MSRP) [ref] defines that..." rather than "[ref] 
>defines that..."

I'll look into that.

-------------

>-- section 1, paragraph 2:
> 
>ben: s/"responsible to create"/"responsible for creating"

Fixed.

-------------

>-- section 1, paragraph 4 (OMA example)
> 
>By "located in the network", do you mean carrier network? 
>Publicly accessible network?

Carrier network.

Fixed.

-------------

>-- section 1, last paragraph:
> 
>Am I correct in assuming this would not be limited to TCP? 
>For example, if we define an SCTP binding in the future, 
>COMEDIA could still apply? If so, perhaps it would be better 
>to consistently refer to transport connections rather than 
>TCP connections.

RFC 4145 talks about TCP, so I assume COMEDIA would have to be updated in order to support SCTP first. And,
before that is done I don't think we can say anything about how it will be applied for MSRP.

-------------

>-- section 3, paragraph 1:
> 
>s/interop/interoperate (or interwork). 

I changed to "interoperate".

Fixed.

-------------

>Also, I tend to think of UAs conforming to this spec as 
>(mostly) also conforming to RFC4975. So I'm not sure "[RFC 
>4975] conformant" is the best way to refer to UAs that do not 
>implement COMEDIA. Perhaps something along the lines of "... 
>from a UA that follows the RFC 4975 connection model..."

I can re-write to:

	"An MSRP UA conformant to this document can interoperate with a UA that follows the connection model
defined in 
	[RFC4975]. However, if an MSRP UA conformant to this document is located behind NAT, and does not proxy its
MSRP 
	communication via an MSRP-Relay node, and the UA receives an SDP offer from a remote UA that follows the
connection 
	model defined in [RFC4975], NAT traversal can only be achieved if the MSRP UA supports ICE and the network 
	provides TURN servers, or if the network supports SBC assisted NAT traversal for TCP."

-------------

>-- section 4.2, paragraph 1:
> 
>We still need to make it more clear that the normative 
>language in this spec is scoped to UAs supporting COMEDIA, 
>i.e. this MUST is not universal. That might be doable by 
>being a little more precise in the applicability statement 
>(see my comment on section 3). Otherwise, we need some 
>concise term that means "MSRP UAs implementing COMEDIA"

I think the best thing is to make the applicability statement more clear, because one should be able to
assume that the procedures then apply to entities which implement the specification.

-------------

>-- section 4.2, paragraph 2:
> 
>ben:s/"which is not..."/"that is not..."

Fixed.

-------------

>-- section 4.2, fifth paragraph from end (starting with - the 
>UA has used STUN) s/signalling/signaling Can we have an 
>informational reference for STUN?

I'll fix that.

-------------

>-- idnits returns some warnings that should be fixed prior to pubreq.

Yes.

>-------------------- WGLC review of draft-ietf-simple-msrp-sessionmatch-01:
> 
> 
>*** Substantive:
> 
>-- Section 5:
> 
>I think we need another paragraph along the lines of:
> 
>"An MSRP UA treats its session URI as a shared secret to 
>determine that an incoming transport connection is indeed 
>from the signaled peer device. An MSRP session URI therefore 
>needs to be hard to guess. However, RFC 4975 already requires 
>the session-id part of the URI to be sufficiently hard to 
>guess. Furthermore, the addressing information in the domain 
>part of the URI is relatively easy to guess. This makes the 
>difficulty in guessing the session-id roughly equivalent to 
>the difficulty of guessing the entire URI."

Looks good.

-------------

>-- Section 5, last paragraph:
> 
>Do we need to talk about the security issues created by the 
>intermediaries themselves? We don't otherwise specify how 
>intermediaries work in this draft.

I am not really sure what we could say, with a reasonalble amount of text. There is a separate draft about
SBCs, so...

-------------

>** Editorial and Nits:
> 
>-- General:
> 
>Please expand acronyms on first mention.

I'll fix that.

-------------

>-- Section 1, paragraph 3:
> 
>I'm not sure I follow the "- NAPT - " part of the last sentence.

The "- NAPT -" stuff shouldn't be there, so I'll remove it.

-------------

>-- Section 4.1 and 4.2
> 
>Either need to state that 4.2 replaces the first paragraph in 
>section 7.3, or state that it replaces the entire section and 
>include the (one sentence) second paragraph from that section.

I can do either (paragraph or section).

If nobody objects, I'll indicate that it replaces the first paragraph.

-------------

>-- Section 8.1:
> 
>I'm not sure the references are right here. 

I'll double check.

-------------

> -- Section 8.2
> 
>Can we have an nformative reference to TS23.228?

I'll fix that.

-------------

> -- idnits returns some warnings--please check them before pubreq.

Ok.

------------- 

Regards,

Christer
Permalink | Reply | 15 comments |
headers
Christer Holmberg | 11 Jan 2010 14:48
Picon
Favicon

Re: WGLC of msrp-acm and msrp-sessionmatch - Adam's comments


Hi Adam,

My appologies also to you for the delay of the reply, due to my xmas vacation.

Comments inline.

>Just for clarification: the fact that we're last calling 
>these at the same time doesn't mean that we intend them to 
>progress as a cluster 
>(http://www.rfc-editor.org/cluster_def.html), does it? There 
>is no normative dependency between them, and I'd hate to see 
>them both be delayed due to issues related to only one of 
>them (e.g., in IETF last call, or IESG review).

See Ben's reply.

----------

> ==========
> draft-ietf-simple-msrp-acm
> 
>    1. NIT: The abstract contains several acronyms that need to be
>       expanded (MSRP, UA, COMEDIA) -- see section 3.6 of
>       http://www.rfc-editor.org/rfc-style-guide/rfc-style

I'll fix that.

----------

>    2. NIT: In the introduction, the sentence "[RFC4975] also allows, but
>       does not define, MSRP UAs to use other mechanisms in order to
>       create the MSRP transport connection" lacks parallelism. Try
>       "[RFC4975] also allows, but does not define, alternate 
>       mechanisms for MSRP UAs to create MSRP transport connections."

I'll fix that.

----------

>    3. NIT: Also in the introduction: "[RFC4145] defines a mechanism,
>       COMEDIA, which endpoints can use..." should read "[RFC4145]
>       defines a mechanism, COMEDIA, that endpoints can use..." (the
>       phrase at the end of the sentence isn't incidental to its meaning
>       -- it is the purpose of the sentence).

I'll fix that.

----------

>    4. SUBSTANTIVE: I agree with earlier comments that the first
>       paragraph of section 3 is a bit confusing, as it appears to impose
>       a normative requirement on all MSRP UAs. Removal seems a bit of
>       overkill, though, as it leaves implementors no information about
>       when ACM should be employed.

I suggested the following text in my reply to Ben:

"Support of this specification is optional for MSRP user agents in general. User Agents that are likely to
be deployed in networks where User Agents need to establish the TCP connections in order to traverse NATs
SHOULD support this specification in order to improve the odds of being able to communicate across NATs."

----------

>       The second paragraph of section 3 talks about NAT traversal
>       failures under certain circumstances, but provides implementors no
>       guidance about how to avoid these failures. I think you need to
>       add text that basically recommends that UA implementations that
>       can be configured to use ACM as their NAT traversal strategy also
>       MUST have the ability to use MSRP relays. (In other words:
>       mandatory to implement, optional to use). Otherwise, you're
>       encouraging deployment of clients that can perform NAT traversal,
>       but only under fairly limited network circumstances.

Are you sure you mean section 3? There is only one paragraph.

I am not sure I understand the comment about MUST implement ability to use MSRP relays. I don't think we
should mandate ACM clients to always implement support of MSRP relays. An ACM client may not even be
located behind a NAT (they support ACM just in order to allow other clients behind NATs to be active), or
they are only used in networks where MSRP relays are not used.

We could say that clients which can be located behind MSRP relays should support MSRP relays, but doesn't
RFC 4976 already say that? It's true even if the client doesn't support ACM.

I don't think I encourage deployment of clients that can perform NAT traversal only in limited network
circumstances. The draft is about how clients can use COMEDIA, it is not a generic implementation guide or
profile for MSRP clients behind NATs :)

Or, did I missunderstand your comment?

----------

>    5. NIT: in section 4.2, "holdcon" should be spelled "holdconn" (two
>       'n's).

I'll fix that.

----------

>    6. SUBSTANTIVE: In section 4.2, I think we need an explanation in the
>       document regarding why "holdconn" is normatively prohibited. It's
>       not immediately clear to me why we prevent this, and I can't find
>       any discussion on the SIMPLE mailing list on the topic.

I suggest to reomve the sentence, and not say anything about holdconn.

I have some difficulties in understanding how holdconn is related to TCP setup direction, but I don't think
there is anything MSRP specific about it.

----------

>    7. SUBSTANTIVE: A natural consequence of the rules in section 4.2 is
>       that an _offer_ for an MSRP session must never be "passive." To
>       avoid misinterpretation, this should be stated as a normative
>       requirement.

You are probably right.

----------

>    8. SUBSTANTIVE: Unlike SIP, I don't think MSRP has rules that require
>       recipients to ignore CRLF sequences in a TCP connection. I'm
>       pretty sure that the CRLF mechanism described in section 5 for
>       pinhole preservation is NOT backwards compatible. However, RFC
>       4975 does talk about NAT binding keepalives in RFC 4975, section
>       7.1: "Bodiless requests may also be used in certain applications
>       to keep Network Address Translation (NAT) bindings alive, etc."

Good point.

I can re-write to:

"If an MSRP UA is located behind a NAT the UA MUST keep the NAT binding alive, in accordance with section 10 of [I.D.ietf-mmusic-
ice]. The UA SHOULD use MSRP requests without bodies as NAT keepalive messages, as defined in section 7.1 of
[ref to RFC4975]."

----------

>    9. SUBSTANTIVE: Also related to section 5: I'm certain that nothing
>       in draft-ietf-mmusic-ice provides guidance here: that document
>       deals with UDP, while MSRP is exclusively a TCP protocol. Perhaps
>       you intended to cite draft-ietf-mmusic-ice-tcp?

Yes. I can change the reference.

 
> ==========
> draft-ietf-simple-msrp-sessmatch
> 
>    1. NIT: The abstract contains several acronyms that need to be
>       expanded (MSRP, UA, ALG) -- see section 3.6 of
>       http://www.rfc-editor.org/rfc-style-guide/rfc-style

I'll fix that.

----------

>    2. NIT: The unexpanded acronym issue continues through the
>       introduction: SLA, B2BUA, NAPT, ALG.

I'll fix that.

----------

>    3. SUBSTANTIVE: This document updates RFC 4975, section 7.1, which
>       talks about ongoing sessions. However, to succeed, we also need to
>       modify the matching procedure that takes place during session
>       establishment. This is described in RFC 4975, section 5.4.

Good point.

I guess the following text:

"When the first request arrives, its To-Path header field should contain a URI that the listening element
provided in the SDP for a session. The element that accepted the connection looks up the URI in the received
request, and determines which session it matches."

...should be modified to:

"When the first request arrives, its To-Path header field should contain a URI with a session-id part that
the listening element provided in the SDP for a session. The element that accepted the connection looks up
the session-id part of the URI in the received request, and determines which session it matches."

----------

>    4. SUBSTANTIVE: In the security section, we need to talk through the
>       implications of this mechanism on TLS connections. After some
>       cursory thought on the topic, I think it works correctly: outbound
>       connections to MSRP relays will be okay, since the cert presented
>       by the relay will match the hostname the client used to connect to
>       it; and, for peer-to-peer mode (as described in RFC 4975, section
>       14.4), the hostname isn't part of the information used to match
>       the certificate. However, just because I think it works doesn't
>       mean that it actually does. :) I'd be a lot more comfortable if we
>       have a brief treatment of this issue in the security section so
>       that it gets some explicit security review.

I suggest we try to get the rest of the stuff fixed first, and then we can concentrate on the security stuff.

----------

>    5. NIT: Somewhere in the document, it would probably be good to cite
>       the text from RFC 4975, section 14.1, regarding MSRP security
>       properties: "Most components of the URI, such as the scheme and
>       the authority components, are common knowledge.  The secrecy is
>       entirely provided by the session-id component." This goes a long
>       way towards allaying any concerns that the host portion was
>       intended to provide any kind of protection when matching sessions.

I think that could be added to the security considerations sections.

Regards,

Christer
Permalink | Reply | 4 comments |

Gmane