< Return to Ballot details

Vote Details

Ballot: Approve OpenC2 HTTPS Transfer Specification, v1.0, WD04 as CSD and for public review
Symantec Corp.
This spec currently requires that ALL OpenC2 Commands MUST include an "X-Request-ID" header with every command. However, this header is only used as a tracing header, and since there is no actual way that the header value can be used with any other OpenC2 command, I cannot in good conscience force the Consumer that my company supports to REQUIRE an API to include the "X-Request-ID" header. As such, our Consumers will not be spec compliant, since they will be written to work work with non-compliant Producers that do not actually supply this tracing header with every request. When our Consumer receives a request that DOES NOT include the "X-Request-ID" header, it will generate a UUID and return the generated UUID in the response header as required by the spec. Further, when our Consumer receives a request that DOES include the "X-Request-ID" header, it will use it as specified by this spec. As such, our Consumer will work correctly with compliant Producers (which apparently must always specify this tracing header). I feel it is unfortunate that we are requiring a tracing header to be always supplied even when the spec does not have a use for it (beyond tracing, which is by design an optional capability in operational environments).