IETF Logo Mail Archive

Re: [Gen-art] Genart last call review of draft-ietf-httpbis-client-hints-13

Alissa Cooper <alissa@cooperw.in> Thu, 21 May 2020 13:45 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E5DA3A0CCD; Thu, 21 May 2020 06:45:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=F5dL+nS3; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=tJc00cdC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1p10UqHoDa3X; Thu, 21 May 2020 06:45:53 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E37603A0CCF; Thu, 21 May 2020 06:45:52 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D54AC5C019F; Thu, 21 May 2020 09:45:51 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Thu, 21 May 2020 09:45:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=f eZV+iUs4a/5B3nyTh1vXujOJoUUKdUJScixXs9dHuw=; b=F5dL+nS3jdZxL+4Hn pFiCR+brqdYmFFKDqU4/tbRSZ7/AHORkYkMODH8Uevx0+8MJh8zcrvamImzBy8FM tiGWnKjxi/CQo0ijp90ic96tNL/ChUbuuhYGZp1/RTGxzlCSEo0eTJITZCiNwAo8 OHJNxlC/Cd3pcq/qqaYjn/+wcSKupR4FyaVSPg+Y/7+85CW2z5Y8zNQJlkkpez4/ wuWFtY0+OXA3jU+53V51NJ3qXf1wkm6bnOKu7QRy7aYzgO3c6SHujvU/vMQqJElY RiJ58nsk5VOvrD3cJP5sWN8nrVRzw9x/dfsDCtL3XAgLctLc66JPuOb52h2YcIH4 aBwgQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=feZV+iUs4a/5B3nyTh1vXujOJoUUKdUJScixXs9dH uw=; b=tJc00cdCW8X1NmGVhIbNgzejNeSpcnNHETeOVJikpkBC2GDT5G7PIm0Mv 4LzvB5IpkhjVKEc48hTsdWsFc3ihWFXcurLKFKWZoGG2Ih58aG3dK9wohop2U+hp FfHOZklQ4q5+Xy8dOKGbqWq6glU/3zP41YJB2cSfP1IlaWm0dNwEZtPwWpdmb7Eo i/MxKbhTKtRgCYNC2455C/C/eCWvPtLG8p8CUjcNm2it0TABvFcBG931HyzTSN5u j1Wwhvy5Y8yanop+drpQfQ7ASx0KB+qJPXoR5HNMtvVgt34EoBZqs09p7/PPKMxV 7cvPTwr0Kt17UvwEgRiNchK8QuKBA==
X-ME-Sender: <xms:D4bGXuXUwmLtQfFbt7hYBXvSycM-GgcmAxYtfZdc8h-uYkVQRe_kNg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudduuddgieejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtjeenucfhrhhomheptehlihhs shgrucevohhophgvrhcuoegrlhhishhsrgestghoohhpvghrfidrihhnqeenucggtffrrg htthgvrhhnpefguedtkeethfekleehheethedvkeektedtvddvjefghfeikeffgeegveef ueegtdenucffohhmrghinhepihgvthhfrdhorhhgnecukfhppedutdekrdehuddruddtud drleeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep rghlihhsshgrsegtohhophgvrhifrdhinh
X-ME-Proxy: <xmx:D4bGXql_TDkZxzeAw7_-MDnNmxzSaWyHtLQHCw4MeZYA9MEC3P6eCw> <xmx:D4bGXiaJcFXwZ3FlkrlerZkkdV1HLssP729487n7ldGNrcXAXnwP4Q> <xmx:D4bGXlX1DSR63B-EZv27eXJPXdAWFvbi-SbU6WMLFtt5zHlH4EmurA> <xmx:D4bGXkt2zKwviL-b2FoaaON-R01an81a2uoy7hKYqEzIWuWttrAc0Q>
Received: from alcoop-m-c46z.fios-router.home (pool-108-51-101-98.washdc.fios.verizon.net [108.51.101.98]) by mail.messagingengine.com (Postfix) with ESMTPA id 30420328005A; Thu, 21 May 2020 09:45:51 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <158837305177.24719.21462684096579298@ietfa.amsl.com>
Date: Thu, 21 May 2020 09:45:50 -0400
Cc: General Area Review Team <gen-art@ietf.org>, last-call@ietf.org, ietf-http-wg@w3.org, draft-ietf-httpbis-client-hints.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <53B2C9C1-8BEA-4E33-B7DC-25D3CD5BC16A@cooperw.in>
References: <158837305177.24719.21462684096579298@ietfa.amsl.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.3445.9.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/mTh8Iebh1DELaZewSyUCxQdSSmQ>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-httpbis-client-hints-13
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2020 13:45:55 -0000

Christer, thanks for your review. Yoav, thanks for addressing the comments. I entered a No Objection ballot.

Alissa


> On May 1, 2020, at 6:44 PM, Christer Holmberg via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: Christer Holmberg
> Review result: Ready with Issues
> 
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
> 
> For more information, please see the FAQ at
> 
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
> 
> Document: draft-ietf-httpbis-client-hints-13
> Reviewer: Christer Holmberg
> Review Date: 2020-05-01
> IETF LC End Date: 2020-05-08
> IESG Telechat date: Not scheduled for a telechat
> 
> Summary: The document is easy to read, and I understand the general concept of
> the mechansim. However, I have a number of questions, some related to the
> usage, which I think need to be clarified, and some more editorial.
> 
> Q3:
> 
> Section 2.1. describes sending of Client Hints, based on Accept-CH, and Section
> 3.1. defines the Accept-CH header field.
> 
> But, there is no guidance on what a client does BEFORE it receives Accept-CH. I
> assume it does not include support of any features.
> 
> Also, there is no guidance on what a client does if it does NOT receive
> Accept-CH (because the server does not support it). Will it then send another
> request and include supported features ? What if it is too late, and the server
> has already made choises?
> 
> I think some client behavior guidance would be useful.
> 
> ---
> 
> Q4:
> 
> Related to Q3, there is not server procedure on when Accept-CH is sent to the
> client.
> 
> ---
> 
> Q5:
> 
> Related to Q4, what happens if a server receives hints that it does not
> understand, or does not support?
> 
> ---
> 
> Q6:
> 
> Section 3.1 says:
> 
>   “It SHOULD be persisted and bound to the origin to enable delivery of Client
>   Hints on subsequent requests to the server's origin.”
> 
> …and the subsequent text then gives an example.
> 
> First, what is the time scope of “subsequent requests”? A session? An hour? A
> day? For how long does the client need to remember the Accept-CH header field
> value for a given origin server?
> 
> Second, the procedure does not seem to take into account that certain aspects,
> e.g., network characteristics, may change between when requests are sent to an
> origin server.
> 
> -------
> 
> Major issues:
> 
> MaQ1:
> 
> Section 2.1. describes sending of Client Hints, based on Accept-CH, and Section
> 3.1. defines the Accept-CH header field.
> 
> First, there is no guidance on what a client does BEFORE it receives Accept-CH.
> I assume it does not include support of any features.
> 
> Second, there is no guidance on what a client does if it does NOT receive
> Accept-CH (because the server does not support it). Will it then send another
> request and include supported features ? What if it is too late, and the server
> has already made choises?
> 
> I think some client behavior guidance would be useful.
> 
> ---
> 
> MaQ2:
> 
> Related to Q3, there is not server procedure on when Accept-CH is sent to the
> client. Also, can an Accept-CH with updated information be sent?
> 
> ---
> 
> MaQ3:
> 
> Related to MaQ2, what happens if a server receives hints that it does not
> understand, or does not support?
> 
> ---
> 
> MaQ4:
> 
> Section 3.1 says:
> 
>   “It SHOULD be persisted and bound to the origin to enable delivery of Client
>   Hints on subsequent requests to the server's origin.”
> 
> …and the subsequent text then gives an example.
> 
> First, what is the time scope of “subsequent requests”? A session? An hour? A
> day? For how long does the client need to remember the Accept-CH header field
> value for a given origin server?
> 
> Second, the procedure does not seem to take into account that certain aspects,
> e.g., network characteristics, may change between when requests are sent to an
> origin server.
> 
> --------
> 
> Minor issues:
> 
> MiQ1:
> 
> Section 1 described that proactive content negotiation allows servers to
> silently fingerprint the user agent.
> 
> But, later in the Section it is described that Client Hints also allow a server
> the perform fingerprinting, and the Security Considerations also say that there
> is really no difference.
> 
> So, does Section 1 need to talk about fingerprinting at all?
> 
> ---
> 
> MiQ2:
> 
> The 4th last paragraph of Section 1 says:
> 
>   “It also defines guidelines for content negotiation mechanisms that use it,
>   colloquially referred to as Client Hints.”
> 
> The 2nd last paragraph of Section 1 says:
> 
>   “This document defines Client Hints, a framework that enables servers
>     to opt-in to specific proactive content negotiation features,
>     adapting their content accordingly.”
> 
> The 2nd last pargraph also talks about “usage of infrastructure”, which I don’t
> really understand. I assume you mean the Client Hints framework?
> 
> First, I think the text in the 4th last paragraph should be replaced by the
> text in the 2nd last paragraph.
> 
> Second, I think the text introducing the framework should come BEFORE the text
> introducing the Accept-CH header field.
> 
> Something like:
> 
>   "This document defines Client Hints, a framework that enables servers
>   to opt-in to specific proactive content negotiation features,
>   adapting their content accordingly. This document also defines a new
>   response header, Accept-CH, that allows an origin server to explicitly
>   ask that clients send these headers in requests.
> 
>   Client Hints mitigate performance concerns by assuring that clients
>   will only send the request headers when they're actually going to be
>   used, and privacy concerns of passive fingerprinting by requiring
>   explicit opt-in and disclosure of required headers by the server
>   through the use of the Accept-CH response header.
> 
>   The document does not define specific usages of Client Hints. Such usages
>   Need to be defined in their respective specifications.
> 
>   One example of such usage is the User Agent Client Hints [UA-CH]."
> 
> -------
> 
> Nits/editorial comments:
> 
> EdQ1:
> 
> The document uses both “client” and “user agent” terminology. Is there a reason
> for that, or could one be picked?
> 
> 
> 
> _______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org
> https://www.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email