Hi there,

here the version 2 of the minutes from HyBi meeting at IETF81.

thanks to Peter and Willy to highlight the mistake/unclarity related to DNS-SRV decision.



Please review the minutes and send any correction to the chairs by
Monday August 25th,
as the "proceeding submission cutoff" is Friday August 29th.

Special thank to Li Kepeng and Gabriel Montenegro to collect the notes during the meetings.


cheers
/Sal

---
Salvatore Loreto
www.sloreto.com








============================
HyBi note from the meeting

   Thursday, July 26th, 2011
   17:40 - 19:40 Afternoon Session II
   Note Taker : Li Kepeng, Gabriel Montenegro

Slides at https://datatracker.ietf.org/meeting/81/materials.html#wg-hybi
============================






Administrative/Agenda bash                                (Chairs - 10m)
------------------------------------------------------------------------

Salvatore: almost time to start to work on a test suites

Greg thinks his draft has some wrong ideas, better to restart from scratch

Thread initiated on the subject here: 
http://www.ietf.org/mail-archive/web/hybi/current/msg07969.html

Test suite proposal here: 
http://www.ietf.org/mail-archive/web/hybi/current/msg07975.html



status and other business about the finalization of the main spec       
(Alexey Melnikov  - 80m)
------------------------------------------------------------------------------------------------
(draft-ietf-hybi-thewebsocketprotocol-10)

*Major Issues*:

- Remove deflate-stream from the base spec            --Agreed

- Use DNS SRV as part of the base spec                    --Consensus to 
exclude DNS SRV from the base spec
Richard barnes: agree
Sal: we have spent a lot of time on being compliant with the existing 
infrastructure

- Add ability to add max frame size announcement       --Agreed


-Richard Barnes to help with security review and wording in sec 
considerations
     Add HSTS, CSP, etc


 From jabber: kepeng_li\40jabber.org: please capture an action item for 
the chairs/editors to ask for double-checking of the URI schemes by the 
uri-review discussion list



-Server "failing a websocket connection" and server dropping without 
telling the reason to the client

     -Two cases: either during the handshake or after it  (once the 
connection is established)

     -Mechanisms exist, add clarification to the text

     -Editorial issue


-Version in upgrade token? No.

     -Not required

     - Mark N ok with not doing this


- X-namespace? No resolution yet.

     -the issue will be discussed on the HyBi mailing list

     -Perhaps. This is gaining steam in app-related discussions and the 
IESG will probably be looking out for this issue.

     -[Side discussion afterwards: check with appswg, and if this is 
gaining ground, we can go with it.]

- Language tagging: optional tag NOT to be added.

     -Just clarify "MUST NOT be shown to users" and avoid tagging altogether


- Major.minor version? ok

     -No minor

     -Just clarify that major ver change: no backward compat


- Cookies

     -Just remove mention of cookies, let HTTP stand

     -[action item: editors to double-check other text that may be 
affected by the removal of any mention of cookies.]


- Reconnection logic -  OK

     -add some randomization to avoid synchronization

     -Ian: treat this as two separate cases: fail at connect (e.g., 
server overload) vs fail after connect



- GET method? OK

     -Richard Barnes: seems like a handshake could be devised to not 
have masking

     -Again rathole on masking

     -We'll leave it as is


- Masking: ok

     -but better description to avoid future ratholes and confusion


- Large frames or messages and DoS security considerations

     -Document potential issues and mitigations
         §  Frame size announcement to be added
         §  Option for either side to terminate at any time

     -Need not be all buffered, could be a handle to a stream

     -API issue



- Origin vs sec-websocket-origin, why both?

     -Need to double-check with Adam Barth

     -CoRS-like pre-flight check also being done?

     -"contact the server" to be clarified



- Error code ranges:

     -4 or so currently

     -Have only 2?

     -Ian: Having more code ranges reduces probability of collisions

     -Alexey: weak argument

     -Ian: perhaps but it being imperfect still allows it to be useful

     -Resolution: reduce number to 2 (or 3)



- HTTP allows both token and quoted-string  (Julian Reschke)

     -Ian: No need for quoted-string

         §  If want quoted-string, also suggest text

     -Julian Reschke: let's take this to the mailing list


- The rest of the issues are minor or editorial or there is no change to 
be done.




extensions and other options :                            (Ian Fette - 20m)
---------------------------------------------------------------------------

-Good support for both Frame compression and multiplex


-Timeout also mentioned, some support.
Kepeng Li: it is useful for the request to indicate the request-timeout 
and connection-timeout




Open Discussion                                            (All - 10m)
----------------------------------------------------------------------

None