Re: [Gen-art] Genart last call review of draft-ietf-httpbis-client-hints-13
Alissa Cooper <alissa@cooperw.in> Thu, 21 May 2020 13:45 UTC
Return-Path: <alissa@cooperw.in>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E5DA3A0CCD; Thu, 21 May 2020 06:45:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=F5dL+nS3; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=tJc00cdC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1p10UqHoDa3X; Thu, 21 May 2020 06:45:53 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E37603A0CCF; Thu, 21 May 2020 06:45:52 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D54AC5C019F; Thu, 21 May 2020 09:45:51 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Thu, 21 May 2020 09:45:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=f eZV+iUs4a/5B3nyTh1vXujOJoUUKdUJScixXs9dHuw=; b=F5dL+nS3jdZxL+4Hn pFiCR+brqdYmFFKDqU4/tbRSZ7/AHORkYkMODH8Uevx0+8MJh8zcrvamImzBy8FM tiGWnKjxi/CQo0ijp90ic96tNL/ChUbuuhYGZp1/RTGxzlCSEo0eTJITZCiNwAo8 OHJNxlC/Cd3pcq/qqaYjn/+wcSKupR4FyaVSPg+Y/7+85CW2z5Y8zNQJlkkpez4/ wuWFtY0+OXA3jU+53V51NJ3qXf1wkm6bnOKu7QRy7aYzgO3c6SHujvU/vMQqJElY RiJ58nsk5VOvrD3cJP5sWN8nrVRzw9x/dfsDCtL3XAgLctLc66JPuOb52h2YcIH4 aBwgQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=feZV+iUs4a/5B3nyTh1vXujOJoUUKdUJScixXs9dH uw=; b=tJc00cdCW8X1NmGVhIbNgzejNeSpcnNHETeOVJikpkBC2GDT5G7PIm0Mv 4LzvB5IpkhjVKEc48hTsdWsFc3ihWFXcurLKFKWZoGG2Ih58aG3dK9wohop2U+hp FfHOZklQ4q5+Xy8dOKGbqWq6glU/3zP41YJB2cSfP1IlaWm0dNwEZtPwWpdmb7Eo i/MxKbhTKtRgCYNC2455C/C/eCWvPtLG8p8CUjcNm2it0TABvFcBG931HyzTSN5u j1Wwhvy5Y8yanop+drpQfQ7ASx0KB+qJPXoR5HNMtvVgt34EoBZqs09p7/PPKMxV 7cvPTwr0Kt17UvwEgRiNchK8QuKBA==
X-ME-Sender: <xms:D4bGXuXUwmLtQfFbt7hYBXvSycM-GgcmAxYtfZdc8h-uYkVQRe_kNg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudduuddgieejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtjeenucfhrhhomheptehlihhs shgrucevohhophgvrhcuoegrlhhishhsrgestghoohhpvghrfidrihhnqeenucggtffrrg htthgvrhhnpefguedtkeethfekleehheethedvkeektedtvddvjefghfeikeffgeegveef ueegtdenucffohhmrghinhepihgvthhfrdhorhhgnecukfhppedutdekrdehuddruddtud drleeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep rghlihhsshgrsegtohhophgvrhifrdhinh
X-ME-Proxy: <xmx:D4bGXql_TDkZxzeAw7_-MDnNmxzSaWyHtLQHCw4MeZYA9MEC3P6eCw> <xmx:D4bGXiaJcFXwZ3FlkrlerZkkdV1HLssP729487n7ldGNrcXAXnwP4Q> <xmx:D4bGXlX1DSR63B-EZv27eXJPXdAWFvbi-SbU6WMLFtt5zHlH4EmurA> <xmx:D4bGXkt2zKwviL-b2FoaaON-R01an81a2uoy7hKYqEzIWuWttrAc0Q>
Received: from alcoop-m-c46z.fios-router.home (pool-108-51-101-98.washdc.fios.verizon.net [108.51.101.98]) by mail.messagingengine.com (Postfix) with ESMTPA id 30420328005A; Thu, 21 May 2020 09:45:51 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <158837305177.24719.21462684096579298@ietfa.amsl.com>
Date: Thu, 21 May 2020 09:45:50 -0400
Cc: General Area Review Team <gen-art@ietf.org>, last-call@ietf.org, ietf-http-wg@w3.org, draft-ietf-httpbis-client-hints.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <53B2C9C1-8BEA-4E33-B7DC-25D3CD5BC16A@cooperw.in>
References: <158837305177.24719.21462684096579298@ietfa.amsl.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.3445.9.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/mTh8Iebh1DELaZewSyUCxQdSSmQ>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-httpbis-client-hints-13
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2020 13:45:55 -0000
Christer, thanks for your review. Yoav, thanks for addressing the comments. I entered a No Objection ballot. Alissa > On May 1, 2020, at 6:44 PM, Christer Holmberg via Datatracker <noreply@ietf.org> wrote: > > Reviewer: Christer Holmberg > Review result: Ready with Issues > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > Document: draft-ietf-httpbis-client-hints-13 > Reviewer: Christer Holmberg > Review Date: 2020-05-01 > IETF LC End Date: 2020-05-08 > IESG Telechat date: Not scheduled for a telechat > > Summary: The document is easy to read, and I understand the general concept of > the mechansim. However, I have a number of questions, some related to the > usage, which I think need to be clarified, and some more editorial. > > Q3: > > Section 2.1. describes sending of Client Hints, based on Accept-CH, and Section > 3.1. defines the Accept-CH header field. > > But, there is no guidance on what a client does BEFORE it receives Accept-CH. I > assume it does not include support of any features. > > Also, there is no guidance on what a client does if it does NOT receive > Accept-CH (because the server does not support it). Will it then send another > request and include supported features ? What if it is too late, and the server > has already made choises? > > I think some client behavior guidance would be useful. > > --- > > Q4: > > Related to Q3, there is not server procedure on when Accept-CH is sent to the > client. > > --- > > Q5: > > Related to Q4, what happens if a server receives hints that it does not > understand, or does not support? > > --- > > Q6: > > Section 3.1 says: > > “It SHOULD be persisted and bound to the origin to enable delivery of Client > Hints on subsequent requests to the server's origin.” > > …and the subsequent text then gives an example. > > First, what is the time scope of “subsequent requests”? A session? An hour? A > day? For how long does the client need to remember the Accept-CH header field > value for a given origin server? > > Second, the procedure does not seem to take into account that certain aspects, > e.g., network characteristics, may change between when requests are sent to an > origin server. > > ------- > > Major issues: > > MaQ1: > > Section 2.1. describes sending of Client Hints, based on Accept-CH, and Section > 3.1. defines the Accept-CH header field. > > First, there is no guidance on what a client does BEFORE it receives Accept-CH. > I assume it does not include support of any features. > > Second, there is no guidance on what a client does if it does NOT receive > Accept-CH (because the server does not support it). Will it then send another > request and include supported features ? What if it is too late, and the server > has already made choises? > > I think some client behavior guidance would be useful. > > --- > > MaQ2: > > Related to Q3, there is not server procedure on when Accept-CH is sent to the > client. Also, can an Accept-CH with updated information be sent? > > --- > > MaQ3: > > Related to MaQ2, what happens if a server receives hints that it does not > understand, or does not support? > > --- > > MaQ4: > > Section 3.1 says: > > “It SHOULD be persisted and bound to the origin to enable delivery of Client > Hints on subsequent requests to the server's origin.” > > …and the subsequent text then gives an example. > > First, what is the time scope of “subsequent requests”? A session? An hour? A > day? For how long does the client need to remember the Accept-CH header field > value for a given origin server? > > Second, the procedure does not seem to take into account that certain aspects, > e.g., network characteristics, may change between when requests are sent to an > origin server. > > -------- > > Minor issues: > > MiQ1: > > Section 1 described that proactive content negotiation allows servers to > silently fingerprint the user agent. > > But, later in the Section it is described that Client Hints also allow a server > the perform fingerprinting, and the Security Considerations also say that there > is really no difference. > > So, does Section 1 need to talk about fingerprinting at all? > > --- > > MiQ2: > > The 4th last paragraph of Section 1 says: > > “It also defines guidelines for content negotiation mechanisms that use it, > colloquially referred to as Client Hints.” > > The 2nd last paragraph of Section 1 says: > > “This document defines Client Hints, a framework that enables servers > to opt-in to specific proactive content negotiation features, > adapting their content accordingly.” > > The 2nd last pargraph also talks about “usage of infrastructure”, which I don’t > really understand. I assume you mean the Client Hints framework? > > First, I think the text in the 4th last paragraph should be replaced by the > text in the 2nd last paragraph. > > Second, I think the text introducing the framework should come BEFORE the text > introducing the Accept-CH header field. > > Something like: > > "This document defines Client Hints, a framework that enables servers > to opt-in to specific proactive content negotiation features, > adapting their content accordingly. This document also defines a new > response header, Accept-CH, that allows an origin server to explicitly > ask that clients send these headers in requests. > > Client Hints mitigate performance concerns by assuring that clients > will only send the request headers when they're actually going to be > used, and privacy concerns of passive fingerprinting by requiring > explicit opt-in and disclosure of required headers by the server > through the use of the Accept-CH response header. > > The document does not define specific usages of Client Hints. Such usages > Need to be defined in their respective specifications. > > One example of such usage is the User Agent Client Hints [UA-CH]." > > ------- > > Nits/editorial comments: > > EdQ1: > > The document uses both “client” and “user agent” terminology. Is there a reason > for that, or could one be picked? > > > > _______________________________________________ > Gen-art mailing list > Gen-art@ietf.org > https://www.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Genart last call review of draft-ietf-h… Christer Holmberg via Datatracker
- Re: [Gen-art] [Last-Call] Genart last call review… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Barry Leiba
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Alissa Cooper