Re: [art] Against BCP 190

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 12 July 2019 19:03 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98CB5120926 for <art@ietfa.amsl.com>; Fri, 12 Jul 2019 12:03:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.107
X-Spam-Level:
X-Spam-Status: No, score=-0.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.247, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MwM31-Z4k8um for <art@ietfa.amsl.com>; Fri, 12 Jul 2019 12:03:33 -0700 (PDT)
Received: from mail-ot1-f43.google.com (mail-ot1-f43.google.com [209.85.210.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F102120919 for <art@ietf.org>; Fri, 12 Jul 2019 12:03:29 -0700 (PDT)
Received: by mail-ot1-f43.google.com with SMTP id e8so10455760otl.7 for <art@ietf.org>; Fri, 12 Jul 2019 12:03:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pmSdyI6U9ybAqys6q7UUiNig0BqUhPgVrrdBv1Y29d0=; b=CjNEKAwx5tKreoSj1JWmy4Mvb7y/klqrzEEslOlYfd/znRC5mrtvEipQoEzuBE6BVD gmZ40jxCfraZpiXnQKYQP8MfQDAhQUvjFFF9pOBV3yTq/5VkTm3zMIta+JJ+g45Llg3O oVVPQLXp/LHT8hCCVZHCxDnjd+RBwwK/O8MlK7B3gwLXKfh8aeJWqLreI6u1DNlig/B2 Fw31syrEdDUqRPtLyjXnWq8Iv2ftMQNInhPhXXohW31N1Qcx07VX3bKM2qtHoCYtXkrx MRpOxIoEbpzlN9/leL92At77Noz3J+zHGLmaiNamj+XyF5sKEpXKJbW6YfiJRnbN1vaT bIRg==
X-Gm-Message-State: APjAAAVbLiq3zIi66jmVGBeflVigvyzwXLUDQTvZMu2c/4QfNo9Nu7JF gAhb5S4U0soIl3PoYY2prBkGDAAVBp2pJMt4Z9Y=
X-Google-Smtp-Source: APXvYqyOjqzKEK03SsURaMyRfvrZW3QJ/E178XUMCO/4DpamFYx1Y6Y7j9IeJUFDe2Mer+2ldW5+2UCYMrb0vSL6640=
X-Received: by 2002:a05:6830:160c:: with SMTP id g12mr10121120otr.231.1562958208219; Fri, 12 Jul 2019 12:03:28 -0700 (PDT)
MIME-Version: 1.0
References: <791b33b8-4696-f69c-aca3-8838b2caafd8@sectigo.com>
In-Reply-To: <791b33b8-4696-f69c-aca3-8838b2caafd8@sectigo.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 12 Jul 2019 15:03:17 -0400
Message-ID: <CAMm+Lwi4Rh4njOppZc4Sdnuzcyrthfoe=ie+6mNm1W6R0mvXaQ@mail.gmail.com>
To: Rob Stradling <rob@sectigo.com>
Cc: "art@ietf.org" <art@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ccc11b058d80900d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/FEFiDHZ6XtyqT9DOmLx06-U3W40>
Subject: Re: [art] Against BCP 190
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 19:03:37 -0000

I see two separate problems here with relative paths

1) The path is an extension {whatever}/foo/bar
2) The path climbs the tree {whatever} = ../fred

The problem dealing with the second is that you end up with security issues
that affect ZIP files every five years as the code is re-implemented by a
new person who makes the old mistake. So unzipping a zip archive ends up
overwriting the hosts file or whatever and allows the machine to be rooted.

I see no problem with {whatever}/foo/bar if whatever is a simple prefix.
But it is not an approach to Web Service design I find particularly useful
any more. Unless a Web service is genuinely a data retrieval problem, it is
not going to use HTTP for anything more than expanding the effective number
of ports on the machine and punching a hole in the firewall. Both are
necessary and useful. But they use about 5% of the capabilities of HTTP if
that.

My view therefore is that as TLS everywhere and QUIC take over, we should
look forward to being able to specify a new UDP based transport for 'Web
Service' binding that is designed to meet the needs of Web services and
nothing else. The firewall bypass to be provided by TLS/QUIC. So all we
need to provide at the 'Web Service' layer is a means of disambiguating the
sub-service protocol.

So where I expect we will end up in 5-10 years time is that 'Web Services'
run over a different transport where the interaction looks something like

Client: <well-known> <length> <binary data>
Service: <length> <binary data>
Client: <length> <binary data>

Etc...

Since this would just be using the protocol multiplexing and data framing
capabilities of HTTP, it can be a lot simpler than HTTP. We don't want to
cache in the network (which hasn't worked since SSL) and we certainly don't
want content negotiation.

I don't like REST because I don't find URIs a useful data encoding and see
no value in splitting the request semantics between the URI path and the
POST body. Just do it all in JSON, stick it all in the body and then you
have a simple way to wrap it with a signature or an application level keyed
MAC if you need it.

So that is where I think we should try to head. Just make the traffic look
as nearly like TLS as allows firewall traversal and make sure that legacy
clients and services can downgrade to HTTP.

Web Services require almost none of the functionality of HTTP/1.1 so I see
no reason they would benefit from HTTP/2.


On Fri, Jul 12, 2019 at 12:45 PM Rob Stradling <rob@sectigo.com> wrote:

> During IESG review of RFC6962-bis (Certificate Transparency Version
> 2.0), BCP 190 is creating significant problems in standardizing
> HTTP-based APIs.  Specifically, this paragraph of section 2.3
> (https://tools.ietf.org/html/bcp190#section-2.3):
>
>     Specifying a fixed path relative to another (e.g., {whatever}/myapp)
>     is also bad practice (even if "whatever" is discovered as suggested
>     in Section 3); while doing so might prevent collisions, it does not
>     avoid the potential for operational difficulties (for example, an
>     implementation that prefers to use query processing instead, because
>     of implementation constraints).
>
> This paragraph should be struck.  It is out of date, since all modern
> web servers can trivially rewrite paths to query components and back
> again.  It also encourages inserting levels of indirection that add
> complexity and bugs.
>
> In RFC6962, all paths are specified relative to a "log server" prefix
> that can contain a path as well as a server name and a port:
>
>    POST https://<log server>/ct/v1/add-chain
>    GET https://<log server>/ct/v1/get-sth
>    GET https://<log server>/ct/v1/get-entries?start=1000&end=2000
>    … 5 more request types defined similarly ...
>
> This version of CT, which preceded BCP 190, has been in production use
> for several years, with multiple independent implementers on both the
> server side and the client side.  There have been no complaints that
> specifying paths in these ways is at all difficult or interferes with
> operation of other software.
>
> A similar problem arose during ACME standardization.  At first it was
> solved by defining a "straight through" issuance path where each step
> provided a URL for the next step.  This was abandoned because there are
> plenty of issuance cases that are not straight-through - for instance,
> revocation.  Now ACME indirects all requests through a "directory" JSON
> object that maps, e.g. "newAuthz" to "https://example.com/newAuthz".
> This works moderately well, but adds complexity, increases the total
> number of requests, and as it turns out, may have bugs
> (https://www.rfc-editor.org/errata_search.php?eid=5771).
>
> For 6962-bis, the TRANS WG has cycled through three different attempts
> to work around BCP 190: a .well-known path prefixing all the paths
> defined by the API, a directory, and treating the entire set of request
> types as parameters to a log definition delivered out of band.  All were
> found to be unsatisfactory.  The affected URI owners (log operators) are
> being prevented by BCP 190 from doing what they would prefer to do with
> their URI space, which is to use URIs constructed in the same manner as
> RFC6962 (with "/ct/v1" changed to "/ct/v2").
>
> BCP 190 is standing in the way of standardizing simple, sensible HTTP
> APIs and should be amended.
>
> Thanks,
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> Sectigo Limited
> _______________________________________________
> art mailing list
> art@ietf.org
> https://www.ietf.org/mailman/listinfo/art
>