IETF Logo Mail Archive

Re: [Gen-art] Genart last call review of draft-ietf-httpbis-client-hints-13

Yoav Weiss <yoav@yoav.ws> Thu, 07 May 2020 10:02 UTC

Return-Path: <yoav@yoav.ws>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F133D3A0B33 for <gen-art@ietfa.amsl.com>; Thu, 7 May 2020 03:02:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yoav-ws.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vluzH3PTVNYX for <gen-art@ietfa.amsl.com>; Thu, 7 May 2020 03:02:30 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A4603A0B38 for <gen-art@ietf.org>; Thu, 7 May 2020 03:02:30 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id b26so3962023lfa.5 for <gen-art@ietf.org>; Thu, 07 May 2020 03:02:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yoav-ws.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PYiincTAWilRsDDURvxlh7r/La38WMwW6dlyniSvtyI=; b=e4o1srOmtj+2TBP+UrkWlbiWW5cIX4aoSGF1LNXCIiddtG8o06owCqrDqhEg5zGSNQ rJLnTj8kvpqPy2yTpaQvQwkRtLRBus1UGTm31Q/aiqfJvrjy1nn7RU84RHCD9s02Hnft 5WL/uFYjKp1U3UWIB+cIp+yXOmBeWW9ZCuf1hN24lf4uxAP5mKsurDuYbLM0F99FYIf4 Oja/vGYH0hKlsGFA8e6ctJqQ0spI2/6WuY4W8xFNbbFpcwrdjhRNOdcDM/uWhtddNj64 TOxO1yZCRh6TdXAd7ErlDkvSewXyvd/oAx+5D93jSA1xoO++eL80Nln6TUXoUa9cDE+m fx2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PYiincTAWilRsDDURvxlh7r/La38WMwW6dlyniSvtyI=; b=fDg5/JoRFKXeYES2URZPpQ4AQ6tSmselG6SLej+3s8CrRonNIBUQ2g8qsdnf+YR8kw RBFu3r47M0DTpxCB/94Qc9KlAy49oFJRfzMerYy4KRKizzTbJ7i/N5bZRFA2jFcZEI+6 q4EDYTdpbig9bWpRBMIXLRye6ZvOMuWYDAOzbeklhNpDVnKyNjohMYeh9uBGZMLTCIeg 2N+c5ewvvhNotGgeXBLj+3BdomZw1ky9X8xnHEHWCLQuqAWnyyl4tN57Wwcfj3mcJxUL GRR2rWfzev7t0SyPP6vq+DlqRb6YKU862DWxYYI0nn9xjAPEW4iRl/XNi/WZ7GTs5HGO TUZw==
X-Gm-Message-State: AGi0PuYIslBgRBoiOAf3DtZTNq5GA4mIED923oJ4FoUv1xNlsykxMjvw 0pDHNzvBs/wcHf4dGcC3EynZqeFNh2JORClpgkIpag==
X-Google-Smtp-Source: APiQypI/NZIjzvk6ZzINS1GmRsRrRkdtC+Wc+06PC1iuezCY/C5kV6YnBskj0jTIUUAHGaOLobvZeSSJbLPsFcHWmA4=
X-Received: by 2002:a19:be52:: with SMTP id o79mr8588699lff.132.1588845748426; Thu, 07 May 2020 03:02:28 -0700 (PDT)
MIME-Version: 1.0
References: <158837305177.24719.21462684096579298@ietfa.amsl.com> <CACj=BEhNqVRxQagFmJ4sbXrn=YOWAYPBqODw_rL7MZbUDjNq5w@mail.gmail.com> <A2613BDC-7577-4BED-8AB5-4799973A1586@ericsson.com> <CACj=BEivQgTBrznaHjmdgOP+1O9fRR7xtX2m_u3JMV4eGfkqFQ@mail.gmail.com> <4243CEA9-67C6-4D3D-A554-9911847CA782@ericsson.com> <CACj=BEhXjntmamP_MMw6kkiXRwOX2B-j8-Ho6EJzPtwPQGoQaQ@mail.gmail.com>
In-Reply-To: <CACj=BEhXjntmamP_MMw6kkiXRwOX2B-j8-Ho6EJzPtwPQGoQaQ@mail.gmail.com>
From: Yoav Weiss <yoav@yoav.ws>
Date: Thu, 07 May 2020 12:02:12 +0200
Message-ID: <CACj=BEjhnWAQV4Odo3P3yVpmTmVZg=bCgiJrzXE87mCjCzg_YA@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: "gen-art@ietf.org" <gen-art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "draft-ietf-httpbis-client-hints.all@ietf.org" <draft-ietf-httpbis-client-hints.all@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000702fd605a50bfa4f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/M1oeFNYDEKC73YlnP5qoaoZwMuo>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-httpbis-client-hints-13
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 10:02:34 -0000

Addressed the latest points in the PR. Thanks! :)

On Wed, May 6, 2020 at 3:20 PM Yoav Weiss <yoav@yoav.ws> wrote:

>
>
> On Wed, May 6, 2020 at 2:43 PM Christer Holmberg <
> christer.holmberg@ericsson.com> wrote:
>
>> Hi Yoav,
>>
>> >> I have not received the pull request yet, so I will comment only based
>> on your e-mail reply :)
>> >
>> > Apologies for the delay. PR is now up at
>> https://protect2.fireeye.com/v1/url?k=0a42e34e-54e25920-0a42a3d5-
>> >
>> 869a14f4b08c-11c3f32cbd74f2f2&q=1&e=978d85da-fab3-4523-a8d9-447aa6bdf056&u=
>> https://github.com/httpwg/http-extensions/pull/1171
>>
>> Thanks!
>>
>> I think it looks ok.
>>
>> BTW, are high-entropy and low-entropy defined and well-known HTTP terms?
>>
>
> I'm not sure. The browser processing model defines a list of low-entropy
> CH headers:
> https://wicg.github.io/client-hints-infrastructure/#low-entropy-table
> I could point at that.
>
>
>> ---
>>
>> MaQ3:
>>
>> >>>> Related to MaQ2, what happens if a server receives hints that it
>> does not
>> >>>> understand, or does not support?
>> >>>
>> >>> Servers SHOULD ignore hints they do not understand or do not support.
>> >>
>> >> Is there are reason for not using MUST? SHOULD typically means
>> MUST-unless-X. What would X be?
>> >>
>> >> Is there a way for the server to indicate to the client that it did
>> not understand/support the hints? Whatever the answer, I think it would be
>> good to have some text about that.
>> >
>> > There's no such a mechanism, similar to other request headers.
>> > Do you have sample text in mind that may make that point clearer?
>>
>> Maybe just a note pointing out that there is no mechanism for a server to
>> inform a client whether it understands and supports the hints.
>>
>> ---
>>
>> Minor issues:
>>
>> MiQ1:
>>
>> >>> Section 1 described that proactive content negotiation allows servers
>> to
>> >>> silently fingerprint the user agent.
>> >>>
>> >>> But, later in the Section it is described that Client Hints also
>> allow a server
>> >>> the perform fingerprinting, and the Security Considerations also say
>> that there
>> >>> is really no difference.
>> >>>
>> >>> So, does Section 1 need to talk about fingerprinting at all?
>> >>
>> >> Section 1 describes the fact that traditional (read: pre-Client Hints)
>> content negotiation methods relied on sending information to all servers,
>> which enabled passive fingerprinting,
>> >> and how Client Hints breaks away from that paradigm, by only sending
>> (high entropy) hints when the server needs them and opts-in to receive them.
>> >>
>> >> A server can request the hints even if it doesn't "need" them, but it
>> wants to do fingerprinting. The client does not know what the server will
>> do with the information.
>> >>
>> >> My point is that the reader should not get an impression that client
>> hints somehow prevents fingerprinting. It doesn't. The only difference is
>> that the server has to ask for the information.
>> >
>> > Current draft includes " Client Hints mitigate ... privacy concerns of
>> passive fingerprinting by requiring explicit opt-in and disclosure of
>> > required headers by the server through the use of the Accept-CH
>> response header."
>> > Should that be clearer?
>>
>> Yes, I think it is better.
>>
>> -------
>>
>> Regards,
>>
>> Christer
>>
>>

v2.23.0 | Report a Bug | By Email