HTTP Protocol Binding - Proposal to remove X-TAXII-Accept header

[MarkDavidson]

There is a proposal on the mailing list to remove the X-TAXII-Accept header.

Currently, the Accept and X-TAXII-Accept headers work as follows: The Accept header is used to specify the acceptable HTTP Content-Type responses for an HTTP request - currently TAXII software would specify “application/xml”. The X-TAXII-Accept header is used to specify the acceptable TAXII Content-Type responses for an HTTP request - currently TAXII software would specify “TAXII_1.0/TAXII_XML_1.0”.

There is an argument that the X-TAXII-Accept header doesn’t add any useful information, and is therefore a candidate for deletion. Here are the supporting points:

1. The “TAXII_1.0” information can be inferred from the X-TAXII-Protocol header. It can be added there explicitly if necessary as a part of this proposal.
2. It can be assumed (or required) that TAXII clients accept responses that are the same format as the request. E.g., if the X-TAXII-Content-Type is “TAXII_1.0/TAXII_XML_1.0”, it can be assumed that the TAXII client accepts “TAXII_1.0/TAXII_XML_1.0” in response.
3. It is argued that there will not be many clients that make requests in one format (e.g. TAXII_XML_1.0) and accept them in another (e.g., TAXII_XML_1.1). If the client really wants TAXII_XML_1.1, they can just make the request again in that format.

Whether or not the header is removed will depend on list discussion.

[MarkDavidson]

I have removed the TAXII header from the TAXII HTTP Protocol Binding Spec. This is updated in the most recent commit to the GitHub repository. You can also find a reference to the issue here: https://github.com/TAXIIProject/TAXII-Specifications/issues/14.

The essence of the change is that the X-TAXII-Accept header is no longer a concept in the TAXII HTTP Protocol binding. Software that provides a TAXII Service can assume that the client accepts the format specified by the X-TAXII-Content-Type.

A quick summary of locations where text was changed:

Removal of X-TAXII-Accept:

• 1.2.5, Media Range
• 3 - TAXII Version-Binding Type
• Table 1 (HTTP Headers)
• 4.1.1 Accept
• 4.1.3 - X-TAXII-Accept
• 5.2 - Request Headers
• 6.1 - Response Headers
• 7 - HTTP Status Codes and TAXII Error Messages

Added the following text to the X-TAXII-Content-Type explaining how to infer an appropriate response format: When responding to a request, the server response MUST comply with the format specified by the request's X-TAXII-Content-Type header field. If the server is unable to respond with an appropriate format, it must send an error.

Other changes:

1. Made the line spacing uniform in section 5.1
2. Section 5.1.4 - TAXII Poll Request had conflicting wording. Changed the wording to reflect that a TAXII Poll Request is sent via HTTP Post, as intended.
3. Updated the title/watermark to draft2. I will discuss this in a separate email.