============================ HyBi note from the meeting Thursday, July 26th, 2011 17:40 - 19:40 Afternoon Session II Note Taker : Li Kepeng, Gabriel Montenegro Slides at https://datatracker.ietf.org/meeting/81/materials.html#wg-hybi ============================ Administrative/Agenda bash (Chairs - 10m) ------------------------------------------------------------------------ Salvatore: almost time to start to work on a test suites Greg thinks his draft has some wrong ideas, better to restart from scratch Thread initiated on the subject here: http://www.ietf.org/mail-archive/web/hybi/current/msg07969.html Test suite proposal here: http://www.ietf.org/mail-archive/web/hybi/current/msg07975.html status and other business about the finalization of the main spec (Alexey Melnikov - 80m) ------------------------------------------------------------------------------------------------ (draft-ietf-hybi-thewebsocketprotocol-10) *Major Issues*: - Remove deflate-stream from the base spec --Agreed - Use DNS SRV as part of the base spec --Consensus to exclude DNS SRV from the base spec Richard barnes: agree Sal: we have spent a lot of time on being compliant with the existing infrastructure - Add ability to add max frame size announcement --Agreed -Richard Barnes to help with security review and wording in sec considerations Add HSTS, CSP, etc From jabber: kepeng_li\40jabber.org: please capture an action item for the chairs/editors to ask for double-checking of the URI schemes by the uri-review discussion list -Server "failing a websocket connection" and server dropping without telling the reason to the client -Two cases: either during the handshake or after it (once the connection is established) -Mechanisms exist, add clarification to the text -Editorial issue -Version in upgrade token? No. -Not required - Mark N ok with not doing this - X-namespace? No resolution yet. -the issue will be discussed on the HyBi mailing list -Perhaps. This is gaining steam in app-related discussions and the IESG will probably be looking out for this issue. -[Side discussion afterwards: check with appswg, and if this is gaining ground, we can go with it.] - Language tagging: optional tag NOT to be added. -Just clarify "MUST NOT be shown to users" and avoid tagging altogether - Major.minor version? ok -No minor -Just clarify that major ver change: no backward compat - Cookies -Just remove mention of cookies, let HTTP stand -[action item: editors to double-check other text that may be affected by the removal of any mention of cookies.] - Reconnection logic - OK -add some randomization to avoid synchronization -Ian: treat this as two separate cases: fail at connect (e.g., server overload) vs fail after connect - GET method? OK -Richard Barnes: seems like a handshake could be devised to not have masking -Again rathole on masking -We'll leave it as is - Masking: ok -but better description to avoid future ratholes and confusion - Large frames or messages and DoS security considerations -Document potential issues and mitigations ¤ Frame size announcement to be added ¤ Option for either side to terminate at any time -Need not be all buffered, could be a handle to a stream -API issue - Origin vs sec-websocket-origin, why both? -Need to double-check with Adam Barth -CoRS-like pre-flight check also being done? -"contact the server" to be clarified - Error code ranges: -4 or so currently -Have only 2? -Ian: Having more code ranges reduces probability of collisions -Alexey: weak argument -Ian: perhaps but it being imperfect still allows it to be useful -Resolution: reduce number to 2 (or 3) - HTTP allows both token and quoted-string (Julian Reschke) -Ian: No need for quoted-string ¤ If want quoted-string, also suggest text -Julian Reschke: let's take this to the mailing list - The rest of the issues are minor or editorial or there is no change to be done. extensions and other options : (Ian Fette - 20m) --------------------------------------------------------------------------- -Good support for both Frame compression and multiplex -Timeout also mentioned, some support. Kepeng Li: it is useful for the request to indicate the request-timeout and connection-timeout Open Discussion (All - 10m) ---------------------------------------------------------------------- None