IETF Logo Mail Archive

Re: [Anima] Content-Transfer-Encoding and HTTP 1.x in ANIMA BRSKI

Julian Reschke <julian.reschke@gmx.de> Wed, 12 June 2019 17:27 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B1E81201C9 for <anima@ietfa.amsl.com>; Wed, 12 Jun 2019 10:27:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SWX0-HGoU8Jp for <anima@ietfa.amsl.com>; Wed, 12 Jun 2019 10:27:09 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D2A81201CC for <anima@ietf.org>; Wed, 12 Jun 2019 10:27:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1560360409; bh=rnLN2IKBsOaxa8b1590xFDg0KSBLkNn/EwrBPteiF6s=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=CLAZu0jkIBQNwUbw9RrAe0WLnu6sAr/xmWC/mYIyB4HhFwt1t9pX6S9yLISmz7G66 s1ZDezAM7ucAVyUBxvqSV91geGl4WYM27jFPlYmB0ZxJTaeJbKZmAccg+N4T5lHZVo INfXMTEWijSP/ln2wSv28N/G7Hcp1wsROkHNgD50=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.124] ([84.171.155.95]) by mail.gmx.com (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MIMbO-1hpM6f1Xe8-00EJdL; Wed, 12 Jun 2019 19:26:49 +0200
To: Michael Richardson <mcr+ietf@sandelman.ca>, anima@ietf.org, ietf-http-wg@w3.org, draft-ietf-pkix-est@ietf.org, Carsten Bormann <cabo@tzi.org>
References: <32410.1560275231@localhost> <15839.1560351718@localhost>
From: Julian Reschke <julian.reschke@gmx.de>
Message-ID: <8a538f76-787d-de13-97f1-16195daae8ce@gmx.de>
Date: Wed, 12 Jun 2019 19:26:49 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <15839.1560351718@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:9EMm2EyOTz1sv4sTFePuYNwhM5Fxv1WfefPUNLfh5oLjGPDWfeC 56rQoL4f6AQne6javfHRw9Iv/EW+LNM6CcvqsKS1Y3WmnYBz0pd0oMk78L6TEid7EE7pdva +RcO34ZnTp/pGuPyorWLdvJbPZEcrZPE8UY3a5/wjhL2LVgtSySGD+6Uvinzl2P4YXKalUD 2MkbUzaLKPRuiB4hT4y/g==
X-UI-Out-Filterresults: notjunk:1;V03:K0:r2TMYhP1ZRE=:BPWKx95DjstySgbAGE/O/3 nytbI36GZGSnUhNHPFfF0V3fr+s0XGiztwHqIMYJMXpEAGEXMQh8LsXxgRftFSGdVVyg4z6NE y39KfF68HEFsBlZknQLtbi7hauLbDf2tI4bS+vt/+iQgNnq0z0QEisR3jQKkiig1s15V52oRp fU9Rtzf8fj7jE4DPjYnZikuBQNV+KcccDdVPhB9GNWA4NRQ+iICyA6rH2cwBSAkwsXELIwRnO zwd0rS7872e5W5Ozkf6/trSOUGoOJk+q2lt3dwrju0jJvdRqMM1ie1pGFeonfAsBUxoa9Zz+K gD8hDzePorW7Q3FPP7A43TNOzQHBro1CJYlB4WnZ4H6kDxM7Xeh7FcCEULF4zfxZ/m6nSMyXx 3pPSaqpK9npELiH8iGf+yIvIrDKgmdFTFjpzbhcI5faEWNhyTIHYtopD7dOi4rnXoBuuYjIEM TNbqqVFsz2txEMAdW/hB9WbtvT2LqFnkHRkIsvMRlVWAwqpWr/YEZ+VWbaiLqu3PjuQr4XTfl eSDGdu+hXVi+Ym+RTUHGktu6zWyZ99jXiji4QsL8X+AQozTBL3S/8IMgkjqyLrrFJs5c4z7nY Lvms0ElorG55VUwJcY7CTumejcX640N9JJswmbeJ+TbO15kcLLu8mqdjx3tzYd9SyRl6bTWHS /EIiJ1d4JD5fLZRph78HiqjtI3/BcoIFYGMp+5PRbNstaQZglR57o+FpjqyLqKZlG7dpPjpqN yMzW5sWn21n1GtStOajR/zkrX8uRpufKl8puNdhe3ZL5usdRLY031w6INuxTlNVf6CPthp7NE 6v7GBL5559t1yGrHfPgaxOjPWsxCW4kRLfsY5hUtdwHjOuVmLZ8AUBwFL8IyFYcCYbsDpyeC8 3sjdpaU4vVZXt2dWwtM0LankOjfwHxyVXx4U2HQW3XxT2kuV0ed5DozOZSP3zmkQS4/6VD3jY byGP7y4sPDGacrTUf6ecrzQ3F3vGKmdc0erQ9GM9mAgm/fBPBfEfQ
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/CH7AMF32anyKOB3hevrGmUDKQAw>
Subject: Re: [Anima] Content-Transfer-Encoding and HTTP 1.x in ANIMA BRSKI
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 17:27:11 -0000

On 12.06.2019 17:01, Michael Richardson wrote:
>
> {resending, now that I'm subscribed to ietf-http-wg.  If you aren't
> on that list, the IETF global white list won't help you}
>
> RFC7030 (Enrollment over Secure Transport) includes language like (section
> 4.1.3): https://tools.ietf.org/html/rfc7030#section-4.1.3
>
>     A successful response MUST be a certs-only CMC Simple PKI Response,
>     as defined in [RFC5272], containing the certificates described in the
>     following paragraph.  The HTTP content-type of
>     "application/pkcs7-mime" is used.  The Simple PKI Response is sent
>     with a Content-Transfer-Encoding of "base64" [RFC2045].
>
> draft-ietf-anima-bootstrap-keyinfra (now in IETF Last Call), extends EST.
> It creates a few more end points, and transfers RFC8366 format artifacts
> over those end points.  RFC8366 defines them to be CMS signed objects,
> in DER (not PEM) format. Another document in ANIMA models the artifacts
> as COSE signed CBOR (also CMS signed CBOR).  All binary objects.
>
> In doing interop testing we had some surprises about whether we should see
> base64 encoding of objects "on-the-wire".
>
> Some implementations have what I consider to be typical HTTP client and
> server code.  The application sticks binary in, an appropriate
> Content-Transfer-Encoding is added, and the binary is adapted.  On the
> client, if there is an encoding, it is removed, and the client sees binary
> plus a Content-Type.
>
> Other implementations were doing something more optimal: observing the
> base64, but noticing that there is only one possible Content-Type, and
> the Content-Transfer-Encoding is implicit, and so emitting base64 with an
> implicit text/plain content type.
>
> In addition, people make mistakes, and the desire to write test cases with
> curl --data (vs --data-binary) easily has led some of us astray at times.
>
> While we think that constrained devices should speak the constrained protocol
> (see below), in some cases code-constrained devices speak HTTPS, and
> wish to do away with any base64 layer of encoding, as a naive use of it
> can come with unknown memory requirements.
>
> Some questions:
>
> 1) Is Content-Transfer-Encoding even valid in HTTP1.x?
>     RFC2616 and RFC7230
>     speak about Transfer-Encoding, and this relates to Chunked or not.
>     https://tools.ietf.org/html/rfc2616#section-14.41
>
>     https://tools.ietf.org/html/rfc2616#section-19.4.5 says:
>     HTTP does not use the Content-Transfer-Encoding (CTE) field of RFC
>     2045. Proxies and gateways from MIME-compliant protocols to HTTP MUST
>     remove any non-identity CTE ("quoted-printable" or "base64") encoding
>     prior to delivering the response message to an HTTP client.
>
>     RFC7230 does not include the above text making CTE unwanted.
>     This made it rather hard to track down the truth :-)

There is no Content-Transfer-Encoding header field in HTTP. It is simply
not needed.

> 2) Assuming the answer to (1) is no, what should we make of RFC7030
>     that says to use it, and to base64 binary objects?

Raise an erratum :-).

>     Would it be reasonable to assume that this is an error, to
>     permit an absent (or CTE: Binary) to mean binary for RFC7030?
>     There is clearly an interoperability issue here if existing
>     implementations do not understand this.
>
>     Did we miss a cross-area review, or did we do this on purpose?
>     RFC7030 is terribly repetitive about CTE suggesting it needed
>     to hit people over the head with a hammer.

I'm sure I haven't looked at that spec. Anybody from this WG should have
spotted this.

> 3) What should draft-ietf-anima-bootstrapping-keyinfra do going forward?
>     We make use of RFC7030 functionality, and after bootstrap, we can't
>     be sure that the EST server we use for certificate renewal is the
>     same (brand of) EST server as before, so just because we did BRSKI,
>     doesn't mean we can assume a binary version of 7030.
>
>     Should BRSKI end-points:
>      a) omit CTE, and assume binary.

Yes.

> ...

Best regards, Julian

v2.23.0 | Report a Bug | By Email