Changeset 2547

Timestamp:

15/01/14 17:14:38 (7 years ago)

Author:

julian.reschke@…

Message:

augment security considerations with pointers to current research (see #549)

Location:

draft-ietf-httpbis/latest

Files:

• p1-messaging.html (modified) (6 diffs)
• p1-messaging.xml (modified) (2 diffs)
• p2-semantics.html (modified) (30 diffs)
• p2-semantics.xml (modified) (2 diffs)
• p4-conditional.html (modified) (6 diffs)
• p4-conditional.xml (modified) (3 diffs)
• p5-range.html (modified) (7 diffs)
• p5-range.xml (modified) (3 diffs)
• p6-cache.html (modified) (7 diffs)
• p6-cache.xml (modified) (2 diffs)
• p7-auth.html (modified) (6 diffs)
• p7-auth.xml (modified) (2 diffs)

draft-ietf-httpbis/latest/p1-messaging.html

@@ -448 +448 @@
   }
   @bottom-center {
-       content: "Expires July 15, 2014";
+       content: "Expires July 19, 2014";
   }
   @bottom-right {
@@ -490 +490 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p1-messaging-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2014-01-11">
+      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
       <meta name="dct.replaces" content="urn:ietf:rfc:2145">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
@@ -519 +519 @@
             <tr>
                <td class="left">Intended status: Standards Track</td>
-               <td class="right">January 11, 2014</td>
+               <td class="right">January 15, 2014</td>
             </tr>
             <tr>
-               <td class="left">Expires: July 15, 2014</td>
+               <td class="left">Expires: July 19, 2014</td>
                <td class="right"></td>
             </tr>
@@ -551 +551 @@
             in progress”.
          </p>
-         <p>This Internet-Draft will expire on July 15, 2014.</p>
+         <p>This Internet-Draft will expire on July 19, 2014.</p>
       </div>
       <div id="rfc.copyrightnotice">
@@ -2845 +2845 @@
          <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP/1.1
             message syntax, parsing, and routing.
+         </p>
+         <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
+            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
          </p>
          <div id="dns.related.attacks">
@@ -3449 +3452 @@
                </li>
                <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/544">http://tools.ietf.org/wg/httpbis/trac/ticket/544</a>&gt;: "moving 2616/2068/2145 to historic"
+               </li>
+               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
                </li>
             </ul>

draft-ietf-httpbis/latest/p1-messaging.xml

@@ -3848 +3848 @@
    users of known security concerns relevant to HTTP/1.1 message syntax,
    parsing, and routing.
+</t>
+<t>
+   The list of considerations below is not exhaustive &mdash; security
+   analysis in an ongoing activity. Various organizations, such as the 
+   "Open Web Application Security Project" (OWASP,
+   <eref target="https://www.owasp.org/"/>), provide information about current
+   research.
 </t>
 
@@ -5463 +5470 @@
       "moving 2616/2068/2145 to historic"
     </t>
+    <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
+      "augment security considerations with pointers to current research"
+    </t>
   </list>
 </t>

draft-ietf-httpbis/latest/p2-semantics.html

@@ -448 +448 @@
   }
   @bottom-center {
-       content: "Expires July 12, 2014";
+       content: "Expires July 19, 2014";
   }
   @bottom-right {
@@ -493 +493 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p2-semantics-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2014-01-08">
+      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header fields, along with the payload of messages (metadata and body content) and mechanisms for content negotiation.">
@@ -521 +521 @@
             <tr>
                <td class="left">Intended status: Standards Track</td>
-               <td class="right">January 8, 2014</td>
+               <td class="right">January 15, 2014</td>
             </tr>
             <tr>
-               <td class="left">Expires: July 12, 2014</td>
+               <td class="left">Expires: July 19, 2014</td>
                <td class="right"></td>
             </tr>
@@ -553 +553 @@
             in progress”.
          </p>
-         <p>This Internet-Draft will expire on July 12, 2014.</p>
+         <p>This Internet-Draft will expire on July 19, 2014.</p>
       </div>
       <div id="rfc.copyrightnotice">
@@ -859 +859 @@
          <p id="rfc.section.3.p.3">An origin server might be provided with, or capable of generating, multiple representations that are each intended to reflect
             the current state of a <a href="#resources" class="smpl">target resource</a>. In such cases, some algorithm is used by the origin server to select one of those representations as most applicable to
-            a given request, usually based on <a href="#content.negotiation" class="smpl">content negotiation</a>. We refer to that one representation as the "<dfn>selected representation</dfn>" and use its particular data and metadata for evaluating conditional requests <a href="#Part4" id="rfc.xref.Part4.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a> and constructing the payload for <a href="#status.200" class="smpl">200 (OK)</a> and <a href="p4-conditional.html#status.304" class="smpl">304 (Not Modified)</a> responses to GET (<a href="#GET" id="rfc.xref.GET.1" title="GET">Section&nbsp;4.3.1</a>).
+            a given request, usually based on <a href="#content.negotiation" class="smpl">content negotiation</a>. We refer to that one representation as the "<dfn>selected representation</dfn>" and use its particular data and metadata for evaluating conditional requests <a href="#Part4" id="rfc.xref.Part4.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a> and constructing the payload for <a href="#status.200" class="smpl">200 (OK)</a> and 
+            <div class="error">ERROR: Anchor '304 (Not Modified)' not found in source file 'p4-conditional.xml'. (at line 325)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">304 (Not Modified)</a> responses to GET (<a href="#GET" id="rfc.xref.GET.1" title="GET">Section&nbsp;4.3.1</a>).
          </p>
          <div id="representation.metadata">
@@ -965 +966 @@
                   <p id="rfc.section.3.1.1.4.p.2">HTTP message framing does not use the multipart boundary as an indicator of message body length, though it might be used by
                      implementations that generate or process the payload. For example, the "multipart/form-data" type is often used for carrying
-                     form data in a request, as described in <a href="#RFC2388" id="rfc.xref.RFC2388.1"><cite title="Returning Values from Forms: multipart/form-data">[RFC2388]</cite></a>, and the "multipart/byteranges" type is defined by this specification for use in some <a href="p5-range.html#status.206" class="smpl">206 (Partial Content)</a> responses <a href="#Part5" id="rfc.xref.Part5.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>.
+                     form data in a request, as described in <a href="#RFC2388" id="rfc.xref.RFC2388.1"><cite title="Returning Values from Forms: multipart/form-data">[RFC2388]</cite></a>, and the "multipart/byteranges" type is defined by this specification for use in some 
+                     <div class="error">ERROR: Anchor '206 (Partial Content)' not found in source file 'p5-range.xml'. (at line 478)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">206 (Partial Content)</a> responses <a href="#Part5" id="rfc.xref.Part5.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>.
                   </p>
                </div>
@@ -1113 +1115 @@
                   <p id="rfc.section.3.1.4.1.p.3">For a response message, the following rules are applied in order until a match is found: </p>
                   <ol>
-                     <li>If the request is GET or HEAD and the response status code is <a href="#status.200" class="smpl">200 (OK)</a>, <a href="#status.204" class="smpl">204 (No Content)</a>, <a href="p5-range.html#status.206" class="smpl">206 (Partial Content)</a>, or <a href="p4-conditional.html#status.304" class="smpl">304 (Not Modified)</a>, the payload is a representation of the resource identified by the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>).
+                     <li>If the request is GET or HEAD and the response status code is <a href="#status.200" class="smpl">200 (OK)</a>, <a href="#status.204" class="smpl">204 (No Content)</a>, 
+                        <div class="error">ERROR: Anchor '206 (Partial Content)' not found in source file 'p5-range.xml'. (at line 743)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">206 (Partial Content)</a>, or 
+                        <div class="error">ERROR: Anchor '304 (Not Modified)' not found in source file 'p4-conditional.xml'. (at line 744)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">304 (Not Modified)</a>, the payload is a representation of the resource identified by the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>).
                      </li>
                      <li>If the request is GET or HEAD and the response status code is <a href="#status.203" class="smpl">203 (Non-Authoritative Information)</a>, the payload is a potentially modified or enhanced representation of the <a href="#resources" class="smpl">target resource</a> as provided by an intermediary.
@@ -1190 +1194 @@
             <h2 id="rfc.section.3.3"><a href="#rfc.section.3.3">3.3</a>&nbsp;<a href="#payload">Payload Semantics</a></h2>
             <p id="rfc.section.3.3.p.1">Some HTTP messages transfer a complete or partial representation as the message "<dfn>payload</dfn>". In some cases, a payload might contain only the associated representation's header fields (e.g., responses to HEAD) or
-               only some part(s) of the representation data (e.g., the <a href="p5-range.html#status.206" class="smpl">206 (Partial Content)</a> status code).
+               only some part(s) of the representation data (e.g., the 
+               <div class="error">ERROR: Anchor '206 (Partial Content)' not found in source file 'p5-range.xml'. (at line 884)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">206 (Partial Content)</a> status code).
             </p>
             <p id="rfc.section.3.3.p.2">The purpose of a payload in a request is defined by the method semantics. For example, a representation in the payload of
@@ -1219 +1224 @@
                      <tr>
                         <td class="left">Content-Range</td>
-                        <td class="left"><a href="p5-range.html#header.content-range" title="Content-Range">Section 4.2</a> of <a href="#Part5" id="rfc.xref.Part5.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
+                        <td class="left"><a href="p5-range.html#header.content-range" title="ERROR: Anchor 'header.content-range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.content-range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
                      </tr>
                      <tr>
@@ -1475 +1480 @@
                </p>
                <p id="rfc.section.4.3.1.p.3">A client can alter the semantics of GET to be a "range request", requesting transfer of only some part(s) of the selected
-                  representation, by sending a <a href="p5-range.html#header.range" class="smpl">Range</a> header field in the request (<a href="#Part5" id="rfc.xref.Part5.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>).
+                  representation, by sending a 
+                  <div class="error">ERROR: Anchor 'Range' not found in source file 'p5-range.xml'. (at line 1318)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">Range</a> header field in the request (<a href="#Part5" id="rfc.xref.Part5.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>).
                </p>
                <p id="rfc.section.4.3.1.p.4">A payload within a GET request message has no defined semantics; sending a payload body on a GET request might cause some
@@ -1562 +1568 @@
                   the server.
                </p>
-               <p id="rfc.section.4.3.4.p.7">An origin server <em class="bcp14">MUST NOT</em> send a validator header field (<a href="#response.validator" title="Validator Header Fields">Section&nbsp;7.2</a>), such as an <a href="p4-conditional.html#header.etag" class="smpl">ETag</a> or <a href="p4-conditional.html#header.last-modified" class="smpl">Last-Modified</a> field, in a successful response to PUT unless the request's representation data was saved without any transformation applied
+               <p id="rfc.section.4.3.4.p.7">An origin server <em class="bcp14">MUST NOT</em> send a validator header field (<a href="#response.validator" title="Validator Header Fields">Section&nbsp;7.2</a>), such as an 
+                  <div class="error">ERROR: Anchor 'ETag' not found in source file 'p4-conditional.xml'. (at line 1491)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">ETag</a> or 
+                  <div class="error">ERROR: Anchor 'Last-Modified' not found in source file 'p4-conditional.xml'. (at line 1492)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">Last-Modified</a> field, in a successful response to PUT unless the request's representation data was saved without any transformation applied
                   to the body (i.e., the resource's new representation data is identical to the representation data received in the PUT request)
                   and the validator field value reflects the new representation. This requirement allows a user agent to know when the representation
@@ -1585 +1593 @@
                   and might also cause links to be added between the related resources.
                </p>
-               <p id="rfc.section.4.3.4.p.11">An origin server that allows PUT on a given target resource <em class="bcp14">MUST</em> send a <a href="#status.400" class="smpl">400 (Bad Request)</a> response to a PUT request that contains a <a href="p5-range.html#header.content-range" class="smpl">Content-Range</a> header field (<a href="p5-range.html#header.content-range" title="Content-Range">Section 4.2</a> of <a href="#Part5" id="rfc.xref.Part5.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), since the payload is likely to be partial content that has been mistakenly PUT as a full representation. Partial content
+               <p id="rfc.section.4.3.4.p.11">An origin server that allows PUT on a given target resource <em class="bcp14">MUST</em> send a <a href="#status.400" class="smpl">400 (Bad Request)</a> response to a PUT request that contains a 
+                  <div class="error">ERROR: Anchor 'Content-Range' not found in source file 'p5-range.xml'. (at line 1539)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">Content-Range</a> header field (<a href="p5-range.html#header.content-range" title="ERROR: Anchor 'header.content-range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.content-range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), since the payload is likely to be partial content that has been mistakenly PUT as a full representation. Partial content
                   updates are possible by targeting a separately identified resource with state that overlaps a portion of the larger resource,
                   or by using a different method that has been specifically defined for partial updates (for example, the PATCH method defined
@@ -1751 +1760 @@
                      <tr>
                         <td class="left">Range</td>
-                        <td class="left"><a href="p5-range.html#header.range" title="Range">Section 3.1</a> of <a href="#Part5" id="rfc.xref.Part5.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
+                        <td class="left"><a href="p5-range.html#header.range" title="ERROR: Anchor 'header.range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
                      </tr>
                      <tr>
@@ -1851 +1860 @@
                of a comparison between a set of validators obtained from prior representations of the target resource to the current state
                of validators for the <a href="#representations" class="smpl">selected representation</a> (<a href="#response.validator" title="Validator Header Fields">Section&nbsp;7.2</a>). Hence, these preconditions evaluate whether the state of the target resource has changed since a given state known by the
-               client. The effect of such an evaluation depends on the method semantics and choice of conditional, as defined in <a href="p4-conditional.html#evaluation" title="Evaluation">Section 5</a> of <a href="#Part4" id="rfc.xref.Part4.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>.
+               client. The effect of such an evaluation depends on the method semantics and choice of conditional, as defined in <a href="p4-conditional.html#evaluation" title="ERROR: Anchor 'evaluation' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'evaluation' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>.
             </p>
             <div id="rfc.table.u.4">
@@ -1864 +1873 @@
                      <tr>
                         <td class="left">If-Match</td>
-                        <td class="left"><a href="p4-conditional.html#header.if-match" title="If-Match">Section 3.1</a> of <a href="#Part4" id="rfc.xref.Part4.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
+                        <td class="left"><a href="p4-conditional.html#header.if-match" title="ERROR: Anchor 'header.if-match' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-match' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
                      </tr>
                      <tr>
                         <td class="left">If-None-Match</td>
-                        <td class="left"><a href="p4-conditional.html#header.if-none-match" title="If-None-Match">Section 3.2</a> of <a href="#Part4" id="rfc.xref.Part4.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
+                        <td class="left"><a href="p4-conditional.html#header.if-none-match" title="ERROR: Anchor 'header.if-none-match' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-none-match' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
                      </tr>
                      <tr>
                         <td class="left">If-Modified-Since</td>
-                        <td class="left"><a href="p4-conditional.html#header.if-modified-since" title="If-Modified-Since">Section 3.3</a> of <a href="#Part4" id="rfc.xref.Part4.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
+                        <td class="left"><a href="p4-conditional.html#header.if-modified-since" title="ERROR: Anchor 'header.if-modified-since' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-modified-since' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
                      </tr>
                      <tr>
                         <td class="left">If-Unmodified-Since</td>
-                        <td class="left"><a href="p4-conditional.html#header.if-unmodified-since" title="If-Unmodified-Since">Section 3.4</a> of <a href="#Part4" id="rfc.xref.Part4.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
+                        <td class="left"><a href="p4-conditional.html#header.if-unmodified-since" title="ERROR: Anchor 'header.if-unmodified-since' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-unmodified-since' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
                      </tr>
                      <tr>
                         <td class="left">If-Range</td>
-                        <td class="left"><a href="p5-range.html#header.if-range" title="If-Range">Section 3.2</a> of <a href="#Part5" id="rfc.xref.Part5.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
+                        <td class="left"><a href="p5-range.html#header.if-range" title="ERROR: Anchor 'header.if-range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.if-range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
                      </tr>
                   </tbody>
@@ -2307 +2316 @@
          <div id="overview.of.status.codes">
             <h2 id="rfc.section.6.1"><a href="#rfc.section.6.1">6.1</a>&nbsp;<a href="#overview.of.status.codes">Overview of Status Codes</a></h2>
-            <p id="rfc.section.6.1.p.1">The status codes listed below are defined in this specification, <a href="p4-conditional.html#status.code.definitions" title="Status Code Definitions">Section 4</a> of <a href="#Part4" id="rfc.xref.Part4.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>, <a href="p5-range.html#range.response" title="Responses to a Range Request">Section 4</a> of <a href="#Part5" id="rfc.xref.Part5.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>, and <a href="p7-auth.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part7" id="rfc.xref.Part7.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a>. The reason phrases listed here are only recommendations — they can be replaced by local equivalents without affecting the
+            <p id="rfc.section.6.1.p.1">The status codes listed below are defined in this specification, <a href="p4-conditional.html#status.code.definitions" title="ERROR: Anchor 'status.code.definitions' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'status.code.definitions' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>, <a href="p5-range.html#range.response" title="ERROR: Anchor 'range.response' not found in p5-range.xml.">Appendix ERROR: Anchor 'range.response' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>, and <a href="p7-auth.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part7" id="rfc.xref.Part7.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a>. The reason phrases listed here are only recommendations — they can be replaced by local equivalents without affecting the
                protocol.
             </p>
@@ -2367 +2376 @@
                         <td class="left">206</td>
                         <td class="left">Partial Content</td>
-                        <td id="status.206" class="left"><a href="p5-range.html#status.206" title="206 Partial Content">Section 4.1</a> of <a href="#Part5" id="rfc.xref.Part5.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
+                        <td id="status.206" class="left"><a href="p5-range.html#status.206" title="ERROR: Anchor 'status.206' not found in p5-range.xml.">Appendix ERROR: Anchor 'status.206' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
                      </tr>
                      <tr>
@@ -2392 +2401 @@
                         <td class="left">304</td>
                         <td class="left">Not Modified</td>
-                        <td id="status.304" class="left"><a href="p4-conditional.html#status.304" title="304 Not Modified">Section 4.1</a> of <a href="#Part4" id="rfc.xref.Part4.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
+                        <td id="status.304" class="left"><a href="p4-conditional.html#status.304" title="ERROR: Anchor 'status.304' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'status.304' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
                      </tr>
                      <tr>
@@ -2467 +2476 @@
                         <td class="left">412</td>
                         <td class="left">Precondition Failed</td>
-                        <td id="status.412" class="left"><a href="p4-conditional.html#status.412" title="412 Precondition Failed">Section 4.2</a> of <a href="#Part4" id="rfc.xref.Part4.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
+                        <td id="status.412" class="left"><a href="p4-conditional.html#status.412" title="ERROR: Anchor 'status.412' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'status.412' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
                      </tr>
                      <tr>
@@ -2487 +2496 @@
                         <td class="left">416</td>
                         <td class="left">Range Not Satisfiable</td>
-                        <td id="status.416" class="left"><a href="p5-range.html#status.416" title="416 Range Not Satisfiable">Section 4.4</a> of <a href="#Part5" id="rfc.xref.Part5.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
+                        <td id="status.416" class="left"><a href="p5-range.html#status.416" title="ERROR: Anchor 'status.416' not found in p5-range.xml.">Appendix ERROR: Anchor 'status.416' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
                      </tr>
                      <tr>
@@ -2614 +2623 @@
                   primary resource created by the request is identified by either a <a href="#header.location" class="smpl">Location</a> header field in the response or, if no <a href="#header.location" class="smpl">Location</a> field is received, by the effective request URI.
                </p>
-               <p id="rfc.section.6.3.2.p.2">The 201 response payload typically describes and links to the resource(s) created. See <a href="#response.validator" title="Validator Header Fields">Section&nbsp;7.2</a> for a discussion of the meaning and purpose of validator header fields, such as <a href="p4-conditional.html#header.etag" class="smpl">ETag</a> and <a href="p4-conditional.html#header.last-modified" class="smpl">Last-Modified</a>, in a 201 response.
+               <p id="rfc.section.6.3.2.p.2">The 201 response payload typically describes and links to the resource(s) created. See <a href="#response.validator" title="Validator Header Fields">Section&nbsp;7.2</a> for a discussion of the meaning and purpose of validator header fields, such as 
+                  <div class="error">ERROR: Anchor 'ETag' not found in source file 'p4-conditional.xml'. (at line 2866)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">ETag</a> and 
+                  <div class="error">ERROR: Anchor 'Last-Modified' not found in source file 'p4-conditional.xml'. (at line 2866)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">Last-Modified</a>, in a 201 response.
                </p>
             </div>
@@ -2650 +2661 @@
                   in the response payload body. Metadata in the response header fields refer to the <a href="#resources" class="smpl">target resource</a> and its <a href="#representations" class="smpl">selected representation</a> after the requested action was applied.
                </p>
-               <p id="rfc.section.6.3.5.p.2">For example, if a 204 status code is received in response to a PUT request and the response contains an <a href="p4-conditional.html#header.etag" class="smpl">ETag</a> header field, then the PUT was successful and the ETag field-value contains the entity-tag for the new representation of that
+               <p id="rfc.section.6.3.5.p.2">For example, if a 204 status code is received in response to a PUT request and the response contains an 
+                  <div class="error">ERROR: Anchor 'ETag' not found in source file 'p4-conditional.xml'. (at line 2929)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">ETag</a> header field, then the PUT was successful and the ETag field-value contains the entity-tag for the new representation of that
                   target resource.
                </p>
@@ -2705 +2717 @@
                </li>
                <li>
-                  <p>Redirection to a previously cached result, as in the <a href="p4-conditional.html#status.304" class="smpl">304 (Not Modified)</a> status code.
+                  <p>Redirection to a previously cached result, as in the 
+                     <div class="error">ERROR: Anchor '304 (Not Modified)' not found in source file 'p4-conditional.xml'. (at line 3036)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">304 (Not Modified)</a> status code.
                   </p>
                </li>
@@ -3338 +3351 @@
                      <tr>
                         <td class="left">ETag</td>
-                        <td class="left"><a href="p4-conditional.html#header.etag" title="ETag">Section 2.3</a> of <a href="#Part4" id="rfc.xref.Part4.13"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
+                        <td class="left"><a href="p4-conditional.html#header.etag" title="ERROR: Anchor 'header.etag' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.etag' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.13"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
                      </tr>
                      <tr>
                         <td class="left">Last-Modified</td>
-                        <td class="left"><a href="p4-conditional.html#header.last-modified" title="Last-Modified">Section 2.2</a> of <a href="#Part4" id="rfc.xref.Part4.14"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
+                        <td class="left"><a href="p4-conditional.html#header.last-modified" title="ERROR: Anchor 'header.last-modified' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.last-modified' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.14"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
                      </tr>
                   </tbody>
@@ -3389 +3402 @@
                      <tr>
                         <td class="left">Accept-Ranges</td>
-                        <td class="left"><a href="p5-range.html#header.accept-ranges" title="Accept-Ranges">Section 2.3</a> of <a href="#Part5" id="rfc.xref.Part5.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
+                        <td class="left"><a href="p5-range.html#header.accept-ranges" title="ERROR: Anchor 'header.accept-ranges' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.accept-ranges' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
                      </tr>
                      <tr>
@@ -4138 +4151 @@
             semantics and its use for transferring information over the Internet. Considerations related to message syntax, parsing, and
             routing are discussed in <a href="p1-messaging.html#security.considerations" title="Security Considerations">Section 9</a> of <a href="#Part1" id="rfc.xref.Part1.42"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>.
+         </p>
+         <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
+            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
          </p>
          <div id="attack.pathname">
@@ -4498 +4514 @@
                fold long lines. MHTML messages being transported by HTTP follow all conventions of MHTML, including line length limitations
                and folding, canonicalization, etc., since HTTP transfers message-bodies as payload and, aside from the "multipart/byteranges"
-               type (<a href="p5-range.html#internet.media.type.multipart.byteranges" title="Internet Media Type multipart/byteranges">Appendix A</a> of <a href="#Part5" id="rfc.xref.Part5.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), does not interpret the content or any MIME header lines that might be contained therein.
+               type (<a href="p5-range.html#internet.media.type.multipart.byteranges" title="ERROR: Anchor 'internet.media.type.multipart.byteranges' not found in p5-range.xml.">Appendix ERROR: Anchor 'internet.media.type.multipart.byteranges' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), does not interpret the content or any MIME header lines that might be contained therein.
             </p>
          </div>
@@ -4522 +4538 @@
          <p id="rfc.section.B.p.6">To be consistent with the method-neutral parsing algorithm of <a href="#Part1" id="rfc.xref.Part1.45"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>, the definition of GET has been relaxed so that requests can have a body, even though a body has no meaning for GET. (<a href="#GET" id="rfc.xref.GET.5" title="GET">Section&nbsp;4.3.1</a>)
          </p>
-         <p id="rfc.section.B.p.7">Servers are no longer required to handle all Content-* header fields and use of <a href="p5-range.html#header.content-range" class="smpl">Content-Range</a> has been explicitly banned in PUT requests. (<a href="#PUT" id="rfc.xref.PUT.4" title="PUT">Section&nbsp;4.3.4</a>)
+         <p id="rfc.section.B.p.7">Servers are no longer required to handle all Content-* header fields and use of 
+            <div class="error">ERROR: Anchor 'Content-Range' not found in source file 'p5-range.xml'. (at line 5924)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">Content-Range</a> has been explicitly banned in PUT requests. (<a href="#PUT" id="rfc.xref.PUT.4" title="PUT">Section&nbsp;4.3.4</a>)
          </p>
          <p id="rfc.section.B.p.8">Definition of the CONNECT method has been moved from <a href="#RFC2817" id="rfc.xref.RFC2817.2"><cite title="Upgrading to TLS Within HTTP/1.1">[RFC2817]</cite></a> to this specification. (<a href="#CONNECT" id="rfc.xref.CONNECT.3" title="CONNECT">Section&nbsp;4.3.6</a>)
@@ -4759 +4776 @@
                </li>
                <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/546">http://tools.ietf.org/wg/httpbis/trac/ticket/546</a>&gt;: "considerations for new headers: privacy"
+               </li>
+               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
                </li>
             </ul>
@@ -4990 +5009 @@
                   </li>
                   <li><em>Part4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.1">3</a>, <a href="#rfc.xref.Part4.2">4.1</a>, <a href="#rfc.xref.Part4.3">5.2</a>, <a href="#rfc.xref.Part4.4">5.2</a>, <a href="#rfc.xref.Part4.5">5.2</a>, <a href="#rfc.xref.Part4.6">5.2</a>, <a href="#rfc.xref.Part4.7">5.2</a>, <a href="#rfc.xref.Part4.8">5.2</a>, <a href="#rfc.xref.Part4.9">6.1</a>, <a href="#rfc.xref.Part4.10">6.1</a>, <a href="#rfc.xref.Part4.11">6.1</a>, <a href="#rfc.xref.Part4.12">7.2</a>, <a href="#rfc.xref.Part4.13">7.2</a>, <a href="#rfc.xref.Part4.14">7.2</a>, <a href="#Part4"><b>11.1</b></a><ul>
-                        <li><em>Section 2.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.14">7.2</a></li>
-                        <li><em>Section 2.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.13">7.2</a></li>
-                        <li><em>Section 3.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.5">5.2</a></li>
-                        <li><em>Section 3.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.6">5.2</a></li>
-                        <li><em>Section 3.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.7">5.2</a></li>
-                        <li><em>Section 3.4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.8">5.2</a></li>
-                        <li><em>Section 4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.9">6.1</a></li>
-                        <li><em>Section 4.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.10">6.1</a></li>
-                        <li><em>Section 4.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.11">6.1</a></li>
-                        <li><em>Section 5</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.4">5.2</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.4">5.2</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.5">5.2</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.6">5.2</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.7">5.2</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.8">5.2</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.9">6.1</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.10">6.1</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.11">6.1</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.13">7.2</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.14">7.2</a></li>
                      </ul>
                   </li>
                   <li><em>Part5</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.1">3.1.1.4</a>, <a href="#rfc.xref.Part5.2">3.3</a>, <a href="#rfc.xref.Part5.3">4.3.1</a>, <a href="#rfc.xref.Part5.4">4.3.4</a>, <a href="#rfc.xref.Part5.5">5.1</a>, <a href="#rfc.xref.Part5.6">5.2</a>, <a href="#rfc.xref.Part5.7">6.1</a>, <a href="#rfc.xref.Part5.8">6.1</a>, <a href="#rfc.xref.Part5.9">6.1</a>, <a href="#rfc.xref.Part5.10">7.4</a>, <a href="#rfc.xref.Part5.11">8.1.2</a>, <a href="#Part5"><b>11.1</b></a>, <a href="#rfc.xref.Part5.12">A.6</a><ul>
-                        <li><em>Section 2.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.10">7.4</a></li>
-                        <li><em>Section 3.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.5">5.1</a></li>
-                        <li><em>Section 3.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.6">5.2</a></li>
-                        <li><em>Section 4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.7">6.1</a></li>
-                        <li><em>Section 4.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.8">6.1</a></li>
-                        <li><em>Section 4.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.2">3.3</a>, <a href="#rfc.xref.Part5.4">4.3.4</a></li>
-                        <li><em>Section 4.4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.9">6.1</a></li>
-                        <li><em>Appendix A</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.12">A.6</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.2">3.3</a>, <a href="#rfc.xref.Part5.4">4.3.4</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.5">5.1</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.6">5.2</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.7">6.1</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.8">6.1</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.9">6.1</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.10">7.4</a></li>
+                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.12">A.6</a></li>
                      </ul>
                   </li>

draft-ietf-httpbis/latest/p2-semantics.xml

@@ -4915 +4915 @@
    &p1-security-considerations;.
 </t>
+<t>
+   The list of considerations below is not exhaustive &mdash; security
+   analysis in an ongoing activity. Various organizations, such as the 
+   "Open Web Application Security Project" (OWASP,
+   <eref target="https://www.owasp.org/"/>), provide information about current
+   research.
+</t>
 
 <section title="Attacks Based On File and Path Names" anchor="attack.pathname">
@@ -6278 +6285 @@
       "considerations for new headers: privacy"
     </t>
+    <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
+      "augment security considerations with pointers to current research"
+    </t>
   </list>
 </t>

draft-ietf-httpbis/latest/p4-conditional.html

@@ -448 +448 @@
   }
   @bottom-center {
-       content: "Expires July 7, 2014";
+       content: "Expires July 19, 2014";
   }
   @bottom-right {
@@ -491 +491 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p4-conditional-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2014-01-03">
+      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP/1.1 conditional requests, including metadata header fields for indicating state changes, request header fields for making preconditions on such state, and rules for constructing the responses to a conditional request when one or more preconditions evaluate to false.">
@@ -517 +517 @@
             </tr>
             <tr>
-               <td class="left">Expires: July 7, 2014</td>
-               <td class="right">January 3, 2014</td>
+               <td class="left">Expires: July 19, 2014</td>
+               <td class="right">January 15, 2014</td>
             </tr>
          </tbody>
@@ -546 +546 @@
             in progress”.
          </p>
-         <p>This Internet-Draft will expire on July 7, 2014.</p>
+         <p>This Internet-Draft will expire on July 19, 2014.</p>
       </div>
       <div id="rfc.copyrightnotice">
@@ -1311 +1311 @@
             conditional request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
          </p>
-         <p id="rfc.section.8.p.2">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious
+         <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
+            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
+         </p>
+         <p id="rfc.section.8.p.3">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious
             changes, or detect man-in-the-middle attacks. At best, they enable more efficient cache updates and optimistic concurrent
             writes when all participants are behaving nicely. At worst, the conditions will fail and the client will receive a response
             that is no more harmful than an HTTP exchange without conditional requests.
          </p>
-         <p id="rfc.section.8.p.3">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically
+         <p id="rfc.section.8.p.4">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically
             invalid entity-tag that is unique to the user or user agent, send it in a cacheable response with a long freshness time, and
             then read that entity-tag in later conditional requests as a means of re-identifying that user or user agent. Such an identifying
@@ -1466 +1469 @@
                <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>&gt;: "improve introduction of list rule"
                </li>
+               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
+               </li>
             </ul>
          </div>

draft-ietf-httpbis/latest/p4-conditional.xml

@@ -15 +15 @@
   <!ENTITY ID-MONTH "January">
   <!ENTITY ID-YEAR "2014">
+  <!ENTITY mdash "&#8212;">
   <!ENTITY Note "<x:h xmlns:x='http://purl.org/net/xml2rfc/ext'>Note:</x:h>">
   <!ENTITY architecture               "<xref target='Part1' x:rel='#architecture' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
@@ -1239 +1240 @@
 </t>
 <t>
+   The list of considerations below is not exhaustive &mdash; security
+   analysis in an ongoing activity. Various organizations, such as the 
+   "Open Web Application Security Project" (OWASP,
+   <eref target="https://www.owasp.org/"/>), provide information about current
+   research.
+</t>
+<t>
    The validators defined by this specification are not intended to ensure
    the validity of a representation, guard against malicious changes, or
@@ -1597 +1605 @@
       "improve introduction of list rule"
     </t>
+    <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
+      "augment security considerations with pointers to current research"
+    </t>
   </list>
 </t>

draft-ietf-httpbis/latest/p5-range.html

@@ -448 +448 @@
   }
   @bottom-center {
-       content: "Expires July 7, 2014";
+       content: "Expires July 19, 2014";
   }
   @bottom-right {
@@ -491 +491 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p5-range-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2014-01-03">
+      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines range requests and the rules for constructing and combining responses to those requests.">
@@ -517 +517 @@
             </tr>
             <tr>
-               <td class="left">Expires: July 7, 2014</td>
+               <td class="left">Expires: July 19, 2014</td>
                <td class="right">J. Reschke, Editor</td>
             </tr>
@@ -526 +526 @@
             <tr>
                <td class="left"></td>
-               <td class="right">January 3, 2014</td>
+               <td class="right">January 15, 2014</td>
             </tr>
          </tbody>
@@ -552 +552 @@
             in progress”.
          </p>
-         <p>This Internet-Draft will expire on July 7, 2014.</p>
+         <p>This Internet-Draft will expire on July 19, 2014.</p>
       </div>
       <div id="rfc.copyrightnotice">
@@ -1167 +1167 @@
          <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP/1.1
             range request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
+         </p>
+         <p id="rfc.section.6.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
+            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
          </p>
          <div id="overlapping.ranges">
@@ -1405 +1408 @@
                </li>
                <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>&gt;: "improve introduction of list rule"
+               </li>
+               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
                </li>
             </ul>

draft-ietf-httpbis/latest/p5-range.xml

@@ -15 +15 @@
   <!ENTITY ID-MONTH "January">
   <!ENTITY ID-YEAR "2014">
+  <!ENTITY mdash "&#8212;">
   <!ENTITY Note "<x:h xmlns:x='http://purl.org/net/xml2rfc/ext'>Note:</x:h>">
   <!ENTITY architecture               "<xref target='Part1' x:rel='#architecture' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
@@ -1048 +1049 @@
    in HTTP messaging &messaging; and semantics &semantics;.
 </t>
+<t>
+   The list of considerations below is not exhaustive &mdash; security
+   analysis in an ongoing activity. Various organizations, such as the 
+   "Open Web Application Security Project" (OWASP,
+   <eref target="https://www.owasp.org/"/>), provide information about current
+   research.
+</t>
 
 <section title="Denial of Service Attacks using Range" anchor="overlapping.ranges">
@@ -1549 +1557 @@
       "improve introduction of list rule"
     </t>
+    <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
+      "augment security considerations with pointers to current research"
+    </t>
   </list>
 </t>

draft-ietf-httpbis/latest/p6-cache.html

@@ -451 +451 @@
   }
   @bottom-center {
-       content: "Expires July 7, 2014";
+       content: "Expires July 19, 2014";
   }
   @bottom-right {
@@ -495 +495 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p6-cache-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2014-01-03">
+      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.">
@@ -521 +521 @@
             </tr>
             <tr>
-               <td class="left">Expires: July 7, 2014</td>
+               <td class="left">Expires: July 19, 2014</td>
                <td class="right">J. Reschke, Editor</td>
             </tr>
@@ -530 +530 @@
             <tr>
                <td class="left"></td>
-               <td class="right">January 3, 2014</td>
+               <td class="right">January 15, 2014</td>
             </tr>
          </tbody>
@@ -557 +557 @@
             in progress”.
          </p>
-         <p>This Internet-Draft will expire on July 7, 2014.</p>
+         <p>This Internet-Draft will expire on July 19, 2014.</p>
       </div>
       <div id="rfc.copyrightnotice">
@@ -1930 +1930 @@
             caching. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
          </p>
-         <p id="rfc.section.8.p.2">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious
+         <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
+            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
+         </p>
+         <p id="rfc.section.8.p.3">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious
             exploitation. Because cache contents persist after an HTTP request is complete, an attack on the cache can reveal information
             long after a user believes that the information has been removed from the network. Therefore, cache contents need to be protected
             as sensitive information.
          </p>
-         <p id="rfc.section.8.p.3">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the
+         <p id="rfc.section.8.p.4">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the
             cache to distribute a malicious payload to many clients, and are especially effective when an attacker can use implmentation
             flaws, elevated priviledges or other techniques to insert such a response into a cache. One common attack vector for cache
             poisoning is to exploit differences in message parsing on proxies and in user agents; see <a href="p1-messaging.html#message.body.length" title="Message Body Length">Section 3.3.3</a> of <a href="#Part1" id="rfc.xref.Part1.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> for the relevant requirements.
          </p>
-         <p id="rfc.section.8.p.4">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information
+         <p id="rfc.section.8.p.5">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information
             (e.g., authentication credentials) that is thought to be private, exposing it to unauthorized parties.
          </p>
-         <p id="rfc.section.8.p.5">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first
+         <p id="rfc.section.8.p.6">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first
             one browses to a site, the second may be able to detect that the other has been to that site, because the resources from it
             load more quickly, thanks to the cache.
          </p>
-         <p id="rfc.section.8.p.6">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent
+         <p id="rfc.section.8.p.7">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent
             requests to caches. Servers who wish to control caching of these responses are encouraged to emit appropriate Cache-Control
             response header fields.
@@ -2173 +2176 @@
                <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>&gt;: "improve introduction of list rule"
                </li>
+               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
+               </li>
             </ul>
             <p id="rfc.section.D.2.p.2">Partly closed issues: </p>

draft-ietf-httpbis/latest/p6-cache.xml

@@ -2162 +2162 @@
 </t>
 <t>
+   The list of considerations below is not exhaustive &mdash; security
+   analysis in an ongoing activity. Various organizations, such as the 
+   "Open Web Application Security Project" (OWASP,
+   <eref target="https://www.owasp.org/"/>), provide information about current
+   research.
+</t>
+<t>
    Caches expose additional potential vulnerabilities, since the contents of
    the cache represent an attractive target for malicious exploitation.
@@ -2710 +2717 @@
       "improve introduction of list rule"
     </t>
+    <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
+      "augment security considerations with pointers to current research"
+    </t>
   </list>
 </t>

draft-ietf-httpbis/latest/p7-auth.html

@@ -448 +448 @@
   }
   @bottom-center {
-       content: "Expires July 7, 2014";
+       content: "Expires July 19, 2014";
   }
   @bottom-right {
@@ -488 +488 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2014-01-03">
+      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework.">
@@ -516 +516 @@
             <tr>
                <td class="left">Intended status: Standards Track</td>
-               <td class="right">January 3, 2014</td>
+               <td class="right">January 15, 2014</td>
             </tr>
             <tr>
-               <td class="left">Expires: July 7, 2014</td>
+               <td class="left">Expires: July 19, 2014</td>
                <td class="right"></td>
             </tr>
@@ -546 +546 @@
             in progress”.
          </p>
-         <p>This Internet-Draft will expire on July 7, 2014.</p>
+         <p>This Internet-Draft will expire on July 19, 2014.</p>
       </div>
       <div id="rfc.copyrightnotice">
@@ -975 +975 @@
          <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP/1.1
             authentication. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
+         </p>
+         <p id="rfc.section.6.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
+            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
          </p>
          <div id="auth.credentials.and.idle.clients">
@@ -1177 +1180 @@
                <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>&gt;: "improve introduction of list rule"
                </li>
+               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
+               </li>
             </ul>
          </div>

draft-ietf-httpbis/latest/p7-auth.xml

@@ -680 +680 @@
    &messaging; and semantics &semantics;.
 </t>
+<t>
+   The list of considerations below is not exhaustive &mdash; security
+   analysis in an ongoing activity. Various organizations, such as the 
+   "Open Web Application Security Project" (OWASP,
+   <eref target="https://www.owasp.org/"/>), provide information about current
+   research.
+</t>
 
 <section title="Authentication Credentials and Idle Clients" anchor="auth.credentials.and.idle.clients">
@@ -1128 +1135 @@
       "improve introduction of list rule"
     </t>
+    <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
+      "augment security considerations with pointers to current research"
+    </t>
   </list>
 </t>