Characterizing HTTPS Spec issues for the F2F

[Dave Lemire <dave.lemire@g2-inc.com>]

IC-SC Members

(this message is cross-posted to Slack #implementation; respond where ever you prefer).

Following Joe Brule's lead, I'm trying to bin up the HTTPS Specification comments for discussion at the F2F meeting. Here's my current proposed segregation into "not too controversial" and "need deeper discussion"; I'd like feedback on whether the SC members believe any issue is in the wrong bin. Some discussion of these has taken place in IC-SC meetings on December 19th and January 2nd. I'm using the HTTPS issue numbers in the CRM, with a quick summary label. Please follow the link to the CRM to access more more detail about the issues and review specific change proposals in pull requests.

Not Too Controversial

• HTTPS-1: make JSON support required, allow other serializations
• -2: HTTP date header should be option, align with RFC
• -3: Example messages should use example dates, not template
• -4: Add Goal subsection into Section 1 to align with the other specs
• -5: Align message terminology with L-Spec:Â "message elements", not "head information"
• -6: Change "specification describes" to "document specifies" in abstract
• -7: Delete "one or more" regarding selection of transfer specifications
• -8: add non-normative IACD referencesÂ
• -9: add targets as something an AP may define in description of APs
• -10: Clarify explanation of layering of security solutionsÂ
• -11: Remove references to subcommittees in Fig 1 (documentation / layering model)Â
• -12: Change "transport" to "transfer"
• -13:ÂClarify wording of specification intent
• -14: Remove JSON from message lines in Figs 2 & 3
• -15: Thoroughly link conformance statements back to requirements text
• -16: Add RFC 7231 to specification of Date format in conformance
• -17: Fix unmatched brackets in example message
• -19: Remove "verbose" in relation to JSON (relates to -1)
• -21: Remove mentions of supporting notificationsÂ
• -24: Remove any support for TLS / SSL versions prior to TLS 1.3
• -25: Add normative / non-normative intro labels for document sections
• -29: Specify base64url encoding for X-Correlation-ID (was previously unspecified)
  

Note: Items 4, 7, 8, 9, 10, 11, 12 & 13 apply to Section 1 content; the editors' intent is that content will be uniform across the three specifications for 1.0 through 1.7 (which is 1.6 in PR draft of HTTPS spec due to missing Goal section (issue 4)).

Require Deeper Discussion

• -18: cancel example (dependent on command-id issue)
  
• -20: "transport independent" (dependent on command-id issue)
• -22: align with L-Spec on command-id / request-id (dependent)
• -23: remove polling / "backward" -- SC consensus in favor
• -26: require mutual authentication -- SC consensus in favor
• -27: authentication requirements (remove PK certs) -- SC consensus in favor, possible conformance issue
• -28: remove "id_ref" from example responses (dependent on command-id issue)

Dave

David P. Lemire, CISSP
 OpenC2 Technical Committee Secretary
 OpenC2 Implementation Considerations SC Co-chair
 Contractor support to NSA
Email: dave.lemire@g2-inc.com
Office: 301-575-5190 / Mobile: 240-938-9350