| draft-ietf-atompub-protocol-16.txt | draft-ietf-atompub-protocol-17.txt | |||
|---|---|---|---|---|
| Network Working Group J. Gregorio, Ed. | Network Working Group J. Gregorio, Ed. | |||
| Internet-Draft IBM | Internet-Draft IBM | |||
| Intended status: Standards Track B. de hOra, Ed. | Intended status: Standards Track B. de hOra, Ed. | |||
| Expires: December 29, 2007 June 27, 2007 | Expires: January 10, 2008 July 09, 2007 | |||
| The Atom Publishing Protocol | The Atom Publishing Protocol | |||
| draft-ietf-atompub-protocol-16.txt | draft-ietf-atompub-protocol-17.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on December 29, 2007. | This Internet-Draft will expire on January 10, 2008. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| Abstract | Abstract | |||
| The Atom Publishing Protocol (APP) is an application-level protocol | The Atom Publishing Protocol (APP) is an application-level protocol | |||
| for publishing and editing Web resources. The protocol is based on | for publishing and editing Web resources. The protocol is based on | |||
| HTTP transfer of Atom-formatted representations. The Atom format is | HTTP transfer of Atom-formatted representations. The Atom format is | |||
| skipping to change at page 43, line 12 | skipping to change at page 43, line 12 | |||
| "hreflang" attributes then the client SHOULD pick the first "edit- | "hreflang" attributes then the client SHOULD pick the first "edit- | |||
| media" link relation in document order. | media" link relation in document order. | |||
| 12. The Atom Format Type Parameter | 12. The Atom Format Type Parameter | |||
| The Atom Syndication Format [RFC4287] defines the "application/ | The Atom Syndication Format [RFC4287] defines the "application/ | |||
| atom+xml" media type to identify both Atom Feed and Atom Entry | atom+xml" media type to identify both Atom Feed and Atom Entry | |||
| Documents. Implementation experience has demonstrated that Atom Feed | Documents. Implementation experience has demonstrated that Atom Feed | |||
| and Entry Documents can have different processing models and that | and Entry Documents can have different processing models and that | |||
| there are situations where they need to be differentiated. This | there are situations where they need to be differentiated. This | |||
| specification defines an optional "type" parameter used to | specification defines a "type" parameter used to differentiate the | |||
| differentiate the two types of Atom documents. | two types of Atom documents. | |||
| 12.1. The 'type' parameter | 12.1. The 'type' parameter | |||
| This specification defines a new "type" parameter for use with the | This specification defines a new "type" parameter for use with the | |||
| "application/atom+xml" media type. The "type" parameter has a value | "application/atom+xml" media type. The "type" parameter has a value | |||
| of "entry" or "feed". | of "entry" or "feed". | |||
| Neither the parameter name nor its value are case sensitive. | Neither the parameter name nor its value are case sensitive. | |||
| The value "entry" indicates that the media type identifies an Atom | The value "entry" indicates that the media type identifies an Atom | |||
| skipping to change at page 45, line 11 | skipping to change at page 45, line 11 | |||
| Member Resource be made publicly visible. If the app:draft element | Member Resource be made publicly visible. If the app:draft element | |||
| is not present then servers that support the extension MUST behave as | is not present then servers that support the extension MUST behave as | |||
| though an app:draft element containing "no" was sent. | though an app:draft element containing "no" was sent. | |||
| 14. Securing the Atom Publishing Protocol | 14. Securing the Atom Publishing Protocol | |||
| The Atom Publishing Protocol is based on HTTP. Authentication | The Atom Publishing Protocol is based on HTTP. Authentication | |||
| requirements for HTTP are covered in Section 11 of [RFC2616]. | requirements for HTTP are covered in Section 11 of [RFC2616]. | |||
| The use of authentication mechanisms to prevent POSTing or editing by | The use of authentication mechanisms to prevent POSTing or editing by | |||
| unknown or unauthorized clients is recommended but not required. | unknown or unauthorized clients is RECOMMENDED but not required. | |||
| When authentication is not used, clients and servers are vulnerable | When authentication is not used, clients and servers are vulnerable | |||
| to trivial spoofing, denial of service, and defacement attacks. | to trivial spoofing, denial of service, and defacement attacks. | |||
| However, in some contexts, this is an acceptable risk. | However, in some contexts, this is an acceptable risk. | |||
| The type of authentication deployed is a local decision made by the | The type of authentication deployed is a local decision made by the | |||
| server operator. Clients are likely to face authentication schemes | server operator. Clients are likely to face authentication schemes | |||
| that vary across server deployments. At a minimum, client and server | that vary across server deployments. At a minimum, client and server | |||
| implementations MUST be capable of being configured to use HTTP Basic | implementations MUST be capable of being configured to use HTTP Basic | |||
| Authentication [RFC2617] in conjunction with a connection made with | Authentication [RFC2617] in conjunction with a connection made with | |||
| TLS 1.0 [RFC2246] or a subsequent standards-track version of TLS, | TLS 1.0 [RFC2246] or a subsequent standards-track version of TLS, | |||
| supporting the conventions for using HTTP over TLS described in | supporting the conventions for using HTTP over TLS described in | |||
| [RFC2818]. At a minimum, client and server implementations MUST be | [RFC2818]. | |||
| capable of being configured to use HTTP Basic Authentication | ||||
| [RFC2617] in conjunction with a TLS 1.0 [RFC2246] or a subsequent | ||||
| standards-track version of TLS, supporting the conventions for using | ||||
| HTTP over TLS described in [RFC2818]. | ||||
| The choice of authentication mechanism will impact interoperability. | The choice of authentication mechanism will impact interoperability. | |||
| The minimum level of security referenced above (Basic Authentication | The minimum level of security referenced above (Basic Authentication | |||
| with TLS) is considered good practice for Internet applications at | with TLS) is considered good practice for Internet applications at | |||
| the time of publication of this specification and sufficient for | the time of publication of this specification and sufficient for | |||
| establishing a baseline for interoperability. Implementers are | establishing a baseline for interoperability. Implementers are | |||
| encouraged to investigate and use alternative mechanisms regarded as | encouraged to investigate and use alternative mechanisms regarded as | |||
| equivalently good or better at the time of deployment. It is | equivalently good or better at the time of deployment. It is | |||
| RECOMMENDED that clients be implemented in such a way that new | RECOMMENDED that clients be implemented in such a way that new | |||
| authentication schemes can be deployed. | authentication schemes can be deployed. | |||
| skipping to change at page 47, line 22 | skipping to change at page 47, line 22 | |||
| the contents of an Entry Document before publishing it, signatures | the contents of an Entry Document before publishing it, signatures | |||
| within an entry are only likely to be useful to the server to which | within an entry are only likely to be useful to the server to which | |||
| the entry is being sent. Clients cannot assume that the signature | the entry is being sent. Clients cannot assume that the signature | |||
| will be valid when viewed by a third party, or even that the server | will be valid when viewed by a third party, or even that the server | |||
| will publish the client's signature. | will publish the client's signature. | |||
| A server is allowed to strip client-applied signatures, to strip | A server is allowed to strip client-applied signatures, to strip | |||
| client-applied signatures and then re-sign with its own public key, | client-applied signatures and then re-sign with its own public key, | |||
| and to oversign an entry with its own public key. The meaning to a | and to oversign an entry with its own public key. The meaning to a | |||
| third party of a signature applied by a server is the same as a | third party of a signature applied by a server is the same as a | |||
| signature from anyone, as described in [RFC4287]. It is recommended | signature from anyone, as described in [RFC4287]. It is RECOMMENDED | |||
| that a server that is aware that it has changed any part of an Entry | that a server that is aware that it has changed any part of an Entry | |||
| Document that was signed by the client should strip that signature | Document that was signed by the client should strip that signature | |||
| before publishing the entry in order to prevent third parties from | before publishing the entry in order to prevent third parties from | |||
| trying to interpret a signature that cannot be validated. | trying to interpret a signature that cannot be validated. | |||
| 15.6. URIs and IRIs | 15.6. URIs and IRIs | |||
| Atom Publishing Protocol implementations handle URIs and IRIs. See | Atom Publishing Protocol implementations handle URIs and IRIs. See | |||
| Section 7 of [RFC3986] and Section 8 of [RFC3987] for security | Section 7 of [RFC3986] and Section 8 of [RFC3987] for security | |||
| considerations related to their handling and use. | considerations related to their handling and use. | |||
| End of changes. 7 change blocks. | ||||
| 12 lines changed or deleted | 8 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||