Re: [apps-discuss] Fwd: I-D Action: draft-nottingham-http-browser-hints-01.txt
Bjartur Thorlacius <svartman95@gmail.com> Mon, 30 May 2011 23:25 UTC
Return-Path: <svartman95@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04281E0754 for <apps-discuss@ietfa.amsl.com>; Mon, 30 May 2011 16:25:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ftHHloGer56P for <apps-discuss@ietfa.amsl.com>; Mon, 30 May 2011 16:25:45 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id 42389E0741 for <apps-discuss@ietf.org>; Mon, 30 May 2011 16:25:45 -0700 (PDT)
Received: by yic13 with SMTP id 13so2204633yic.31 for <apps-discuss@ietf.org>; Mon, 30 May 2011 16:25:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=SnBOipFA/YFxXk8xvdzpMxWBr67t1+19mPU4i198+FU=; b=DjJRHBbdWyEyvTj17JtDBGkIqrlRgJLK2AYkijIJFeHzhZAIx4/cJaSDK/w6bViR7f PQ2MZIw5ozA2AaaTZ1FhyZp0XwyrUO7ux/WcaOVH7JWRHr/mQRZqgFqzTVWI0QLVh5/S SrvfExWdLFh+QF+DzyagqSHrvEEGGI3GeLkgU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=jvrL44GLo1Pi8BSk1drH3vjdagIXPh1LCFMvAr4i4A3yi6Ux+MgUdeKhOUwjazlGKA Jjf5hwidxmkxSNMsymL4C8LGbtu2BOMkDTXZjOd6irWHMtibHMkZ2z6UKrD/WefAE5uR 8ivYOS3hIZKh9edWSdr0SHpX4Qn4Vfsmf/eWw=
MIME-Version: 1.0
Received: by 10.236.92.116 with SMTP id i80mr6558114yhf.348.1306797942342; Mon, 30 May 2011 16:25:42 -0700 (PDT)
Received: by 10.236.47.228 with HTTP; Mon, 30 May 2011 16:25:42 -0700 (PDT)
In-Reply-To: <4DE3DB86.8000505@gmail.com>
References: <BANLkTi=s9jHu=_+VVTxAvdEts=9Dts2h0Q@mail.gmail.com> <70A19350-4EA8-4FB4-89CF-B6D4E7FA456B@mnot.net> <4DE3A064.8010404@gmail.com> <4DE3B07F.9030407@gmx.de> <4DE3C4E8.4000900@gmail.com> <4DE3DB86.8000505@gmail.com>
Date: Mon, 30 May 2011 23:25:42 +0000
Message-ID: <BANLkTiks0kx_D8eqdQwjgDTHqnnF+0B3_g@mail.gmail.com>
From: Bjartur Thorlacius <svartman95@gmail.com>
To: Dzonatas Sol <dzonatas@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] Fwd: I-D Action: draft-nottingham-http-browser-hints-01.txt
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 May 2011 23:25:47 -0000
On 5/30/11, Dzonatas Sol <dzonatas@gmail.com> wrote: > People often implement the ReSTful paradigm based only on these four > http methods: POST, GET, PUT, DELETE. I hardly consider usage of those > to the fullest means as any hack. (In my book. they each are subclasses > of TASKs on the queue.) > I consider creating URIs under all URI authorities (as in the authority section of the hierarchical part) questionable, not the usage of an existing method. Why should the IETF construct URIs such as <http://boards.4chan.org/.well-known/browser-hints> and <URL:http://www.gov.cn/.well-known/browser-hints>. There's no image board named ".well-known". It's /possible/ to use RFC 5785 for _all_ site-wide metadata, no matter what, just as it's /possible/ to use POST to it's fullest, and POST exclusively, embedding the action and entity-body in the message-body. What queue? Most (but not all) HTTP methods operate on resources identified by URIs. > Any implication of an attacker... questionable on why would one stop > there, specifically, even if we assume "they're inside". > You don't necessarily have to be "inside" to be able to upload files. I'm thinking of a user registering as ".well-known" and uploading maliciously named and crafted files. *All* HTTP servers out there will have to reserve the "/.well-known" prefix, if only to avoid serving a dangerous value of the max-conns property in the browser-hints file (and thereby values of other properties such as max-pipeline-depth). Note that I don't disagree with RFC 5785. It's the right mechanism for certain tasks. I disagree with the apparent group consensus that discovery of browser hints are one of these tasks.
- [apps-discuss] Fwd: I-D Action: draft-nottingham-… Mark Nottingham
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Dzonatas Sol
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Bjartur Thorlacius
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Mark Nottingham
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Bjartur Thorlacius
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Julian Reschke
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Mykyta Yevstifeyev
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Bjartur Thorlacius
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… MyKyta Yevstifeyev
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Dzonatas Sol
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Bjartur Thorlacius
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Dzonatas Sol
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Bjartur Thorlacius
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Dzonatas Sol