Re: [Gen-art] Genart last call review of draft-ietf-httpbis-client-hints-13
Christer Holmberg <christer.holmberg@ericsson.com> Thu, 07 May 2020 13:15 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D9F3A0817; Thu, 7 May 2020 06:15:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-C3Z8CX6dsE; Thu, 7 May 2020 06:15:09 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00053.outbound.protection.outlook.com [40.107.0.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 503F43A07D5; Thu, 7 May 2020 06:15:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CEjrUsXNggcTkxZaZoqYaosSsPxjdzdYDyGyd3m/EzEqLii6CJRI3vD8D0I4rVJxsV2avr+aQL2RDf+DySPpv4hMDz4YbIuHgNjfZvUFErC7UbmF0TbpZW4l8m9HtOdOihcKRx7s59obzLixFt/JWO3t5PqTncAsEydSzsQDLKkLN1KtmMbWDR9mpvVCL97yU24aEWze2pi9YORZBIJShtLXkv8puPzpCDYmGT+6vYn4NH52rSYMsm3RU9gA9JcgyVqlcohwEZAnaZE4EcGcrQPd8d3i+1b4Hj0UndzhaecJDX5JVZOQ3zFj6KNDIGVO8lUQltjnkRySjI08h7cVZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QE/fXwC8YcOo+CayupXzDV/zT2yfT9G1RHTu+DySKiU=; b=IrlEcQaE3omrfpzSvDVp9ehTPedok3s9FKEidQoo5GoG7GiSJJSiSCukr/++9XfP//rZK9XftJ9KcJXmfRiQg+gjHoMda2Zj90hBZRw/aUMTrRXh20uea4H5YKoctLaxnawlDv4QXHCYj8MjE5k6nTOJro8VwzCXyB9Ixwv3FJyql7WAnktt1b4RRqfN7iNRczAE/d6V2tktzPHmcjwDq9s8QEQlIRtc7Ybm61dQdUEJegCAJTGpLcM4d58FMiD4WrHqjd/LPkiwqyEAMhFN8lZikjmCqWScBd7IX1q3TNNq//AEuJ9EnMsnt0MgDGE02/2BdyVH8vAVpRQJOMpCZA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QE/fXwC8YcOo+CayupXzDV/zT2yfT9G1RHTu+DySKiU=; b=pvW81+QRl+t5PtG8zRtKQ1kGG5uG8QdggP19T7lPQlmOERGLt/PI+a3RgLnzfVm1bhRI5JxCTLW+oz5gxht6N/HUYvy4shqUwN+FgHitNvmKai3MkeNUbQX/LL+yQqDGFJj4hgQZT+hiBcUWQppMtPXm0Z3neCb1iq/yY+gCdhA=
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com (2603:10a6:20b:1bc::19) by AM7PR07MB6532.eurprd07.prod.outlook.com (2603:10a6:20b:1aa::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.11; Thu, 7 May 2020 13:15:06 +0000
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::7529:b51f:5fb4:62b9]) by AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::7529:b51f:5fb4:62b9%5]) with mapi id 15.20.3000.011; Thu, 7 May 2020 13:15:06 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Yoav Weiss <yoav@yoav.ws>
CC: "gen-art@ietf.org" <gen-art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "draft-ietf-httpbis-client-hints.all@ietf.org" <draft-ietf-httpbis-client-hints.all@ietf.org>
Thread-Topic: Genart last call review of draft-ietf-httpbis-client-hints-13
Thread-Index: AQHWIq1DN+5hVq5QdEeND9cndeZ6bqiaCVcAgACrC4CAAIB9AP//190AgAFbEQCAAGgwAA==
Date: Thu, 07 May 2020 13:15:06 +0000
Message-ID: <BBB5F044-1C66-43F8-B412-ADD217A9A093@ericsson.com>
References: <158837305177.24719.21462684096579298@ietfa.amsl.com> <CACj=BEhNqVRxQagFmJ4sbXrn=YOWAYPBqODw_rL7MZbUDjNq5w@mail.gmail.com> <A2613BDC-7577-4BED-8AB5-4799973A1586@ericsson.com> <CACj=BEivQgTBrznaHjmdgOP+1O9fRR7xtX2m_u3JMV4eGfkqFQ@mail.gmail.com> <4243CEA9-67C6-4D3D-A554-9911847CA782@ericsson.com> <CACj=BEhXjntmamP_MMw6kkiXRwOX2B-j8-Ho6EJzPtwPQGoQaQ@mail.gmail.com> <CACj=BEjhnWAQV4Odo3P3yVpmTmVZg=bCgiJrzXE87mCjCzg_YA@mail.gmail.com>
In-Reply-To: <CACj=BEjhnWAQV4Odo3P3yVpmTmVZg=bCgiJrzXE87mCjCzg_YA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: yoav.ws; dkim=none (message not signed) header.d=none;yoav.ws; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [85.131.104.168]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c4d25e2e-db9a-4036-59b0-08d7f288a978
x-ms-traffictypediagnostic: AM7PR07MB6532:
x-microsoft-antispam-prvs: <AM7PR07MB653245DEF0795C1E019F70CD93A50@AM7PR07MB6532.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03965EFC76
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SWo8lEUqA8x3AnHUmM1wkVnbUQnGcr3A5B1Gm8/j3CJs+8l27cf2uqHJGEhdRHU3HFr0/W5DiY3WYXyM0FKN4Pcv0qTPACzh0pGzy8MRwzcylWhFxStbXF0sNasjg2NpzMUghqzMydIEMBOPfDm9iiBt3r5U+lfE2hu1+vTyFMc70jVjxIlOzx1sFb0QnfMnEwxq3CVMg3EbEftPhtHqs11rSAuOE6+QN7UwYfOyoEkQWCRuEKDjnG1zZi/JaMTFopSDY7vu3nYKouZi2x5aNTw2RU5mR+VZ4ANIUGjhsiYxtbcCbH0W6CCA/t8UqoeaCC6wDUXAPm0GbOxU6iFcwfPvDASur2ge7zVgxufFXBROhFF4QE4cOKh20bRd8Ymck0eFPn7PHmx8FRfFloEloyR8Qkw4lf2mJHR3zzUCv71ZmZqfPf7O898vgvo1l2nXhWfMwVHw2fpXjGybXJCMN4vAiQUQOSy9iVZgFR8yQd0LumIuaLeQiPSjsHoWR25Hmi+KRAQy9s7dx0yIwdAs8hmrJGJbDMyNq1f6q3TC7ZpXSEt0jBedwj5ywJM4k9z9w/bTQZaVTp5eWtDmN88pS1yA4qiQYKMrYemy/nYXmJ0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB7012.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(366004)(136003)(376002)(39860400002)(346002)(33430700001)(6486002)(44832011)(76116006)(66574014)(83080400001)(166002)(33440700001)(2616005)(6916009)(6512007)(86362001)(66556008)(64756008)(66476007)(83300400001)(71200400001)(83320400001)(83280400001)(83310400001)(4326008)(83290400001)(66446008)(66946007)(36756003)(316002)(53546011)(966005)(54906003)(5660300002)(6506007)(186003)(478600001)(91956017)(8936002)(2906002)(8676002)(33656002)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: JC7D/kcKdxDDGSHBIdHYoPyF9DHhfbVOXfPTdv2aE900KVsmp1SqDcYpoo/Apm3xe4LjPQsKuoh5PWaO0mmJPgG1Bmd8p28kQQ9wdm0Ln1tHv1oxI3kBKsIwHPPFSJkIV2BfoxrGGgM8zFFG66mKcmhR1pBOLiobf2DBcVKdv52pT3wpzImSv6lfFXxYn7tr+/S/6y4TFBZAyFvQZv1UKS4vdKFEye+QW0GkbNa6jcnZdGFaBXFvYFdnn9qWo/jxxZyKfdqa7b5R3+GS3MXNrBbcKu8qOagaRzA8TPo7LRvvUjJQgxaU48FyUlsmkrTQUz1Eo+0h8aVN60M1XwJK3xpUkecbusuN99egl5dMIfPFs6gajE4X1W/Ls6896jEf9jw/jbDoUs0THlDQrqfLsla8GJ9I0sCSrZnLU0xB35U62u5P9yTUBVxQnEqyhtI/BCJ8sEkKSF4yrqPUsgLKJCCUTcQgALgIaARK0izC34dSbqmdX45m9/ZRrbIoOtQm2Y+mIG/EPhBG1P13g6Pqqd5zWarkQ8V5BA+EQgy44qt7aBiWq6KxvBKlwoSgkLfmEeY9bGR5f8bA/1xMtVXA/J48n1CPcOMvs4fSsuparD24EN1Y2N3R9Q1UfewWy6gUMmn7JBRN8z79O2tfbKBNsXOKCbKZtjv19yVLFA8XZFsOyVFJEomWUVHMP2E+YDqQbpC+/yvwHvoMpnOJuu/E9iI2131zKls8l2Kb5P4mftnVz18i9+NMdvHkBB1R8D7iqGH+Hrh1O/MMzCxdM8RMknw1lXfCKqDnHK0SFCTer9o=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BBB5F0441C6643F8B412ADD217A9A093ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c4d25e2e-db9a-4036-59b0-08d7f288a978
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 May 2020 13:15:06.7820 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EUPve+Ph14jHSLJ7eAVzMuoRZb1OxC/7ipMcnSPvprkal6h8yrZA+e4yR4AM1zLaoXPvfrj6bIpinq9OYrq2wTqedDrqpl8O8dgPzTJ2UvM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6532
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/cJr8k8iHOpsRVZ_vKe7FIYOf9Tw>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-httpbis-client-hints-13
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 13:15:13 -0000
Hi, The PR looks good to me! Thanks for addressing my issues! :) Regards, Christer From: Yoav Weiss <yoav@yoav.ws> Date: Thursday, 7 May 2020 at 13.02 To: Christer Holmberg <christer.holmberg@ericsson.com> Cc: "gen-art@ietf.org" <gen-art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, HTTP Group <ietf-http-wg@w3.org>, "draft-ietf-httpbis-client-hints.all@ietf.org" <draft-ietf-httpbis-client-hints.all@ietf.org> Subject: Re: Genart last call review of draft-ietf-httpbis-client-hints-13 Addressed the latest points in the PR. Thanks! :) On Wed, May 6, 2020 at 3:20 PM Yoav Weiss <yoav@yoav.ws<mailto:yoav@yoav.ws>> wrote: On Wed, May 6, 2020 at 2:43 PM Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote: Hi Yoav, >> I have not received the pull request yet, so I will comment only based on your e-mail reply :) > > Apologies for the delay. PR is now up at https://protect2.fireeye.com/v1/url?k=0a42e34e-54e25920-0a42a3d5- > 869a14f4b08c-11c3f32cbd74f2f2&q=1&e=978d85da-fab3-4523-a8d9-447aa6bdf056&u=https://github.com/httpwg/http-extensions/pull/1171<https://protect2.fireeye.com/v1/url?k=6272da56-3cd23ac2-62729acd-86d2114eab2f-315dfc5e8e3bb7de&q=1&e=7281b4e2-8b12-45aa-b9cc-269841f1ac96&u=https%3A%2F%2Fgithub.com%2Fhttpwg%2Fhttp-extensions%2Fpull%2F1171> Thanks! I think it looks ok. BTW, are high-entropy and low-entropy defined and well-known HTTP terms? I'm not sure. The browser processing model defines a list of low-entropy CH headers: https://wicg.github.io/client-hints-infrastructure/#low-entropy-table<https://protect2.fireeye.com/v1/url?k=6a29e40a-3489049e-6a29a491-86d2114eab2f-5ccf1f3eadf9c7d7&q=1&e=7281b4e2-8b12-45aa-b9cc-269841f1ac96&u=https%3A%2F%2Fwicg.github.io%2Fclient-hints-infrastructure%2F%23low-entropy-table> I could point at that. --- MaQ3: >>>> Related to MaQ2, what happens if a server receives hints that it does not >>>> understand, or does not support? >>> >>> Servers SHOULD ignore hints they do not understand or do not support. >> >> Is there are reason for not using MUST? SHOULD typically means MUST-unless-X. What would X be? >> >> Is there a way for the server to indicate to the client that it did not understand/support the hints? Whatever the answer, I think it would be good to have some text about that. > > There's no such a mechanism, similar to other request headers. > Do you have sample text in mind that may make that point clearer? Maybe just a note pointing out that there is no mechanism for a server to inform a client whether it understands and supports the hints. --- Minor issues: MiQ1: >>> Section 1 described that proactive content negotiation allows servers to >>> silently fingerprint the user agent. >>> >>> But, later in the Section it is described that Client Hints also allow a server >>> the perform fingerprinting, and the Security Considerations also say that there >>> is really no difference. >>> >>> So, does Section 1 need to talk about fingerprinting at all? >> >> Section 1 describes the fact that traditional (read: pre-Client Hints) content negotiation methods relied on sending information to all servers, which enabled passive fingerprinting, >> and how Client Hints breaks away from that paradigm, by only sending (high entropy) hints when the server needs them and opts-in to receive them. >> >> A server can request the hints even if it doesn't "need" them, but it wants to do fingerprinting. The client does not know what the server will do with the information. >> >> My point is that the reader should not get an impression that client hints somehow prevents fingerprinting. It doesn't. The only difference is that the server has to ask for the information. > > Current draft includes " Client Hints mitigate ... privacy concerns of passive fingerprinting by requiring explicit opt-in and disclosure of > required headers by the server through the use of the Accept-CH response header." > Should that be clearer? Yes, I think it is better. ------- Regards, Christer
- [Gen-art] Genart last call review of draft-ietf-h… Christer Holmberg via Datatracker
- Re: [Gen-art] [Last-Call] Genart last call review… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Barry Leiba
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Alissa Cooper