IETF Logo Mail Archive

Re: [Anima] Content-Transfer-Encoding and HTTP 1.x in ANIMA BRSKI

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 12 June 2019 20:50 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9622412013C for <anima@ietfa.amsl.com>; Wed, 12 Jun 2019 13:50:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id do80R_WiQo56 for <anima@ietfa.amsl.com>; Wed, 12 Jun 2019 13:50:05 -0700 (PDT)
Received: from mail-pf1-x444.google.com (mail-pf1-x444.google.com [IPv6:2607:f8b0:4864:20::444]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F41681200F8 for <anima@ietf.org>; Wed, 12 Jun 2019 13:50:04 -0700 (PDT)
Received: by mail-pf1-x444.google.com with SMTP id a186so10363785pfa.5; Wed, 12 Jun 2019 13:50:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=OUG7NqQ1fkYdvTDAZ14UIHZgOva3EMZkVQZIVcSEefk=; b=jJFsnZp5rrBI4/yLCsBcXM5JKQ5mi/3VH/IQFeraJk9y9c2/QqCw+FbDY+5IR9MI2r cUiBwMu/WNJoqyNI8fJICeUHIdPIuNqg8BhEKkSwmVqUDBHabXkH94hYQmtisCwHcMue Q5/8nNka7olennKbXmmN+V+yoa6Byj050KjquDWiA7WVJiXL+QRw4BRcgljkcquMJwHu LQNvn+FV/JFEWjMiW5MwVvqriyiIqBwKYl44XvU8ZyhhCAFbu+gRPLyrkF4CMEMjzt4/ +IJesWtsaFKisbWA8J916cbS/aDolfVvheMXVtuzr7p+leir6+234eCUIrqQkWzWLQJM OZgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=OUG7NqQ1fkYdvTDAZ14UIHZgOva3EMZkVQZIVcSEefk=; b=dmnjbc8NSpeCH3MSI/ZDFrsdbKYjmjG427TZXBmi6S7t/rQ3TiQsd4tlQTlQSzPrU1 CWDYcJR6uxbwlemmkK+hCGNa5CCpJt3J/q2g4VENSXBJnnnVGhYXE8FyutOHzqO5W2aA 23Ak/4f0GHKk/ZnOYutnMgB2fjYRwH3TyMQ8LGw+mOLK9jdOtzsN/+Q1RdZGbpRikLuC VhyIUYGenN4iMBe1m4AUcESL3+cJ6FmvQlAIRNyB44aHkKUCcRKhH2mnrPM6/++0PwaJ 2U96DclertWohd9CB0kejfQR3WS0RqnZ3rMwXVNk4jNWPP26vuBs62ZTByfpZC3q4qHZ k4ZA==
X-Gm-Message-State: APjAAAWLyV7uyjK1dYLc7EF+hIVLuuuDMhwOgAGqmC7AIUOmzYwj+Aab xUKH4o06ETGyALAQ5GyYD3Y=
X-Google-Smtp-Source: APXvYqymEv+4L8kBEHKzGGSnOBi7cSU1kM6ZOyxBuvt8O8ms5lQYBW5tsPlGFUcH9w5F06wa3WbB4w==
X-Received: by 2002:a17:90a:338b:: with SMTP id n11mr1070698pjb.21.1560372604408; Wed, 12 Jun 2019 13:50:04 -0700 (PDT)
Received: from [192.168.178.30] (32.23.255.123.dynamic.snap.net.nz. [123.255.23.32]) by smtp.gmail.com with ESMTPSA id m16sm470887pfd.127.2019.06.12.13.50.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Jun 2019 13:50:03 -0700 (PDT)
To: Julian Reschke <julian.reschke@gmx.de>, Michael Richardson <mcr+ietf@sandelman.ca>, anima@ietf.org, ietf-http-wg@w3.org, draft-ietf-pkix-est@ietf.org, Carsten Bormann <cabo@tzi.org>
References: <32410.1560275231@localhost> <15839.1560351718@localhost> <8a538f76-787d-de13-97f1-16195daae8ce@gmx.de>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <9fcce3cd-c3cb-bd60-a55c-af21da621b88@gmail.com>
Date: Thu, 13 Jun 2019 08:49:58 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <8a538f76-787d-de13-97f1-16195daae8ce@gmx.de>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/i7LbG61gBleEWvC8OERSyjc5xZg>
Subject: Re: [Anima] Content-Transfer-Encoding and HTTP 1.x in ANIMA BRSKI
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 20:50:08 -0000

Hi Julian,

On 13-Jun-19 05:26, Julian Reschke wrote:
> On 12.06.2019 17:01, Michael Richardson wrote:
>>
>> {resending, now that I'm subscribed to ietf-http-wg.  If you aren't
>> on that list, the IETF global white list won't help you}
>>
>> RFC7030 (Enrollment over Secure Transport) includes language like (section
>> 4.1.3): https://tools.ietf.org/html/rfc7030#section-4.1.3
>>
>>     A successful response MUST be a certs-only CMC Simple PKI Response,
>>     as defined in [RFC5272], containing the certificates described in the
>>     following paragraph.  The HTTP content-type of
>>     "application/pkcs7-mime" is used.  The Simple PKI Response is sent
>>     with a Content-Transfer-Encoding of "base64" [RFC2045].
>>
>> draft-ietf-anima-bootstrap-keyinfra (now in IETF Last Call), extends EST.
>> It creates a few more end points, and transfers RFC8366 format artifacts
>> over those end points.  RFC8366 defines them to be CMS signed objects,
>> in DER (not PEM) format. Another document in ANIMA models the artifacts
>> as COSE signed CBOR (also CMS signed CBOR).  All binary objects.
>>
>> In doing interop testing we had some surprises about whether we should see
>> base64 encoding of objects "on-the-wire".
>>
>> Some implementations have what I consider to be typical HTTP client and
>> server code.  The application sticks binary in, an appropriate
>> Content-Transfer-Encoding is added, and the binary is adapted.  On the
>> client, if there is an encoding, it is removed, and the client sees binary
>> plus a Content-Type.
>>
>> Other implementations were doing something more optimal: observing the
>> base64, but noticing that there is only one possible Content-Type, and
>> the Content-Transfer-Encoding is implicit, and so emitting base64 with an
>> implicit text/plain content type.
>>
>> In addition, people make mistakes, and the desire to write test cases with
>> curl --data (vs --data-binary) easily has led some of us astray at times.
>>
>> While we think that constrained devices should speak the constrained protocol
>> (see below), in some cases code-constrained devices speak HTTPS, and
>> wish to do away with any base64 layer of encoding, as a naive use of it
>> can come with unknown memory requirements.
>>
>> Some questions:
>>
>> 1) Is Content-Transfer-Encoding even valid in HTTP1.x?
>>     RFC2616 and RFC7230
>>     speak about Transfer-Encoding, and this relates to Chunked or not.
>>     https://tools.ietf.org/html/rfc2616#section-14.41
>>
>>     https://tools.ietf.org/html/rfc2616#section-19.4.5 says:
>>     HTTP does not use the Content-Transfer-Encoding (CTE) field of RFC
>>     2045. Proxies and gateways from MIME-compliant protocols to HTTP MUST
>>     remove any non-identity CTE ("quoted-printable" or "base64") encoding
>>     prior to delivering the response message to an HTTP client.
>>
>>     RFC7230 does not include the above text making CTE unwanted.
>>     This made it rather hard to track down the truth :-)
> 
> There is no Content-Transfer-Encoding header field in HTTP. It is simply
> not needed.

Just as a matter of curiosity, what happened in HTTP1.1 to the fragment in
RFC2616 that says (under Content-MD5):

"The entity-body for composite
 types MAY contain many body-parts, each with its own MIME and HTTP
 headers (including Content-MD5, Content-Transfer-Encoding, and
 Content-Encoding headers)."

This seems to be a source of confusion, e.g.
https://stackoverflow.com/questions/5169434/content-transfer-encoding-in-file-uploading-request . RFC7030 uses a content type of application/pkcs7-mime. So is it allowed to specify a MIME header?

    Brian


> 
>> 2) Assuming the answer to (1) is no, what should we make of RFC7030
>>     that says to use it, and to base64 binary objects?
> 
> Raise an erratum :-).
> 
>>     Would it be reasonable to assume that this is an error, to
>>     permit an absent (or CTE: Binary) to mean binary for RFC7030?
>>     There is clearly an interoperability issue here if existing
>>     implementations do not understand this.
>>
>>     Did we miss a cross-area review, or did we do this on purpose?
>>     RFC7030 is terribly repetitive about CTE suggesting it needed
>>     to hit people over the head with a hammer.
> 
> I'm sure I haven't looked at that spec. Anybody from this WG should have
> spotted this.
> 
>> 3) What should draft-ietf-anima-bootstrapping-keyinfra do going forward?
>>     We make use of RFC7030 functionality, and after bootstrap, we can't
>>     be sure that the EST server we use for certificate renewal is the
>>     same (brand of) EST server as before, so just because we did BRSKI,
>>     doesn't mean we can assume a binary version of 7030.
>>
>>     Should BRSKI end-points:
>>      a) omit CTE, and assume binary.
> 
> Yes.
> 
>> ...
> 
> Best regards, Julian
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>

v2.23.0 | Report a Bug | By Email