Re: [Gen-art] Genart last call review of draft-ietf-httpbis-client-hints-13
Barry Leiba <barryleiba@computer.org> Thu, 07 May 2020 13:07 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 400373A07AC; Thu, 7 May 2020 06:07:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f2xFOW1SiIEY; Thu, 7 May 2020 06:07:54 -0700 (PDT)
Received: from mail-il1-f176.google.com (mail-il1-f176.google.com [209.85.166.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D59D3A07AB; Thu, 7 May 2020 06:07:54 -0700 (PDT)
Received: by mail-il1-f176.google.com with SMTP id w6so839054ilg.1; Thu, 07 May 2020 06:07:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mOHZQ0U4cXyNz4oFamhC7v42NeHYODTa+Ap60Aw565U=; b=QbO3p+Y0dTpJGm880U/Z91SumtqXGPte9dPwjlrIemyMwnrd4jv6IDLfUCu5ciqkSW TmjtVdbroT5QDMgLJHIj3H7mBcxpWTpPiQOd9fiXNQcIdXlAEIPdH9nASfyU/YzIPcPu iuYCHeqTsr5mxqD8IUchGMkCGYo5033RQZqJLc+LcNOoRmpeX20bj5wHdD2Hh4L/DPKW wWFnE3D1R1Qc2E1kx77PlVHCcKcMZB9U8aPWYiLtjwqPAaBVxcgXHPXoPzDl2T/aM9nM 0+9B6JpiOYwsVvUO0dzJIu5k9EG5wDILzKFUb6t0SA9EECeisn1ShW6JW3zCU80OqPgc 9iWw==
X-Gm-Message-State: AGi0PuZRaOxejpt91nOW1osj9l01s1GICq/kwGzlwSUCKowWV9qV3X2c PUNPs7F4oEDuZNhMh51ydLcpfC9UiF7kGR8hbBQ=
X-Google-Smtp-Source: APiQypKD1p8rEtb7cWGM6v4qlCQr2Hh5BmB/kD6PZ67IIqzYW7Q2kPlsmKl5yXK4zWY4Q1SvlJmmLt6zOJzcGLvxWhc=
X-Received: by 2002:a92:d20a:: with SMTP id y10mr8862299ily.17.1588856873653; Thu, 07 May 2020 06:07:53 -0700 (PDT)
MIME-Version: 1.0
References: <158837305177.24719.21462684096579298@ietfa.amsl.com> <CACj=BEhNqVRxQagFmJ4sbXrn=YOWAYPBqODw_rL7MZbUDjNq5w@mail.gmail.com> <A2613BDC-7577-4BED-8AB5-4799973A1586@ericsson.com> <CACj=BEivQgTBrznaHjmdgOP+1O9fRR7xtX2m_u3JMV4eGfkqFQ@mail.gmail.com> <4243CEA9-67C6-4D3D-A554-9911847CA782@ericsson.com> <CACj=BEhXjntmamP_MMw6kkiXRwOX2B-j8-Ho6EJzPtwPQGoQaQ@mail.gmail.com> <CACj=BEjhnWAQV4Odo3P3yVpmTmVZg=bCgiJrzXE87mCjCzg_YA@mail.gmail.com>
In-Reply-To: <CACj=BEjhnWAQV4Odo3P3yVpmTmVZg=bCgiJrzXE87mCjCzg_YA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Thu, 07 May 2020 09:07:42 -0400
Message-ID: <CALaySJK3RULGGBPeR0E-9-r3MGwWeQA-HmGQ9cQ3imrHkktqqw@mail.gmail.com>
To: Yoav Weiss <yoav@yoav.ws>
Cc: Christer Holmberg <christer.holmberg@ericsson.com>, "draft-ietf-httpbis-client-hints.all@ietf.org" <draft-ietf-httpbis-client-hints.all@ietf.org>, "gen-art@ietf.org" <gen-art@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "last-call@ietf.org" <last-call@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008dce1c05a50e915d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/oXfsLnbpcGR2KOACcKXggMcdc1o>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-httpbis-client-hints-13
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 13:07:57 -0000
Please post a revised I-D when you’re ready; thanks. Barry On Thu, May 7, 2020 at 6:02 AM Yoav Weiss <yoav@yoav.ws> wrote: > Addressed the latest points in the PR. Thanks! :) > > On Wed, May 6, 2020 at 3:20 PM Yoav Weiss <yoav@yoav.ws> wrote: > >> >> >> On Wed, May 6, 2020 at 2:43 PM Christer Holmberg < >> christer.holmberg@ericsson.com> wrote: >> >>> Hi Yoav, >>> >>> >> I have not received the pull request yet, so I will comment only >>> based on your e-mail reply :) >>> > >>> > Apologies for the delay. PR is now up at >>> https://protect2.fireeye.com/v1/url?k=0a42e34e-54e25920-0a42a3d5- >>> > >>> 869a14f4b08c-11c3f32cbd74f2f2&q=1&e=978d85da-fab3-4523-a8d9-447aa6bdf056&u= >>> https://github.com/httpwg/http-extensions/pull/1171 >>> >>> Thanks! >>> >>> I think it looks ok. >>> >>> BTW, are high-entropy and low-entropy defined and well-known HTTP terms? >>> >> >> I'm not sure. The browser processing model defines a list of low-entropy >> CH headers: >> https://wicg.github.io/client-hints-infrastructure/#low-entropy-table >> I could point at that. >> >> >>> --- >>> >>> MaQ3: >>> >>> >>>> Related to MaQ2, what happens if a server receives hints that it >>> does not >>> >>>> understand, or does not support? >>> >>> >>> >>> Servers SHOULD ignore hints they do not understand or do not support. >>> >> >>> >> Is there are reason for not using MUST? SHOULD typically means >>> MUST-unless-X. What would X be? >>> >> >>> >> Is there a way for the server to indicate to the client that it did >>> not understand/support the hints? Whatever the answer, I think it would be >>> good to have some text about that. >>> > >>> > There's no such a mechanism, similar to other request headers. >>> > Do you have sample text in mind that may make that point clearer? >>> >>> Maybe just a note pointing out that there is no mechanism for a server >>> to inform a client whether it understands and supports the hints. >>> >>> --- >>> >>> Minor issues: >>> >>> MiQ1: >>> >>> >>> Section 1 described that proactive content negotiation allows >>> servers to >>> >>> silently fingerprint the user agent. >>> >>> >>> >>> But, later in the Section it is described that Client Hints also >>> allow a server >>> >>> the perform fingerprinting, and the Security Considerations also say >>> that there >>> >>> is really no difference. >>> >>> >>> >>> So, does Section 1 need to talk about fingerprinting at all? >>> >> >>> >> Section 1 describes the fact that traditional (read: pre-Client >>> Hints) content negotiation methods relied on sending information to all >>> servers, which enabled passive fingerprinting, >>> >> and how Client Hints breaks away from that paradigm, by only sending >>> (high entropy) hints when the server needs them and opts-in to receive them. >>> >> >>> >> A server can request the hints even if it doesn't "need" them, but it >>> wants to do fingerprinting. The client does not know what the server will >>> do with the information. >>> >> >>> >> My point is that the reader should not get an impression that client >>> hints somehow prevents fingerprinting. It doesn't. The only difference is >>> that the server has to ask for the information. >>> > >>> > Current draft includes " Client Hints mitigate ... privacy concerns of >>> passive fingerprinting by requiring explicit opt-in and disclosure of >>> > required headers by the server through the use of the Accept-CH >>> response header." >>> > Should that be clearer? >>> >>> Yes, I think it is better. >>> >>> ------- >>> >>> Regards, >>> >>> Christer >>> >>>
- [Gen-art] Genart last call review of draft-ietf-h… Christer Holmberg via Datatracker
- Re: [Gen-art] [Last-Call] Genart last call review… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Barry Leiba
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Yoav Weiss
- Re: [Gen-art] Genart last call review of draft-ie… Alissa Cooper