IETF Logo Mail Archive

[Http-grease] Ossification and HTTP - call for participation

Mark Nottingham <mnot@mnot.net> Tue, 07 July 2020 01:27 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: http-grease@ietfa.amsl.com
Delivered-To: http-grease@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8DE63A0848 for <http-grease@ietfa.amsl.com>; Mon, 6 Jul 2020 18:27:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=RQmQWmLs; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Xh5mIKN0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g4solq2LRB16 for <http-grease@ietfa.amsl.com>; Mon, 6 Jul 2020 18:27:40 -0700 (PDT)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 219F83A0845 for <http-grease@ietf.org>; Mon, 6 Jul 2020 18:27:37 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 4DB06632; Mon, 6 Jul 2020 21:27:36 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 06 Jul 2020 21:27:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=from :content-type:content-transfer-encoding:mime-version:subject :message-id:date:cc:to; s=fm3; bh=TwvDLv9y0nfj3UuTL9YP2iqbowzhgm npb4mYmAEZX3c=; b=RQmQWmLsjZjVe021+9PDJ4AuKwEvCuwL+s21yYCVU8+qjR tljPUMye+/KaumRn31XAJhR1xf9+qvTHCY6SgkN/P4vDXRe+Fysmihs2wNfnLTjS YWn04YT7ntxU9Qrm67TfIemQnm6RSHXwvqArTSaE0nFCMDIF7//i4vtFLFU/BopG RmVl/G8JbwoXsqW9kccPIsE7jCCTqVneA1facP9v+ws4Pp6+NbI1FRdi4Xspugwg kniDGnWsjlOlBlsXW36XT09JsCEXTDjuEJDsoXsF4nwBtaDAmZ+fbnq94PHo5fBv fGK81XJHnMNwq3bUvWDVhScK4ygesl/GM/zhc4qQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=TwvDLv 9y0nfj3UuTL9YP2iqbowzhgmnpb4mYmAEZX3c=; b=Xh5mIKN0lC3XKOCDHBUK6b /AP+yIqerlFGDGDwJ2J+6GiqWnyo5Kf6gDuGR/9mdKV4jKtQTu4dtvQogT5YlcjR nu38mm06iI0p5ukfw6N6t3QliyFIO8D5zW2wmnxTCJCk/Lq1TrnkbjLBadYf1Xfo 8R3Np/Fy9VLjI1MeappZ3Vrre7pcpw9UJETDsgHZrgVBa9P/E4v8mAqzZsBgJxfV CrUVsMQIsUfeFvJ3hwf82dtzYZ6oVW+RnPwKB9C66saWx1FrQcgZvYYJGzdQ2r6b McFvrocYRZw+EtTjqZeF89MMiPjL1+oglMM2iLSha6KGuC0X4NFHujHO5VN/o+TQ ==
X-ME-Sender: <xms:hs8DX5mMAH2n9Jn1aZN-JU3LYouOc86QxOio1CeOuwNwEs6kH1mCnQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudeggdegkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecuogfuuhhsphgvtghtffhomhgrihhnucdlgeelmdenuc fjughrpefhtgfgggfukfffvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcupfho thhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrthhtvghrnh epfeevgfffgeeghedtheeiteetveejteeiuedtudefffdvheevteevhfduhedvtdfgnecu ffhomhgrihhnpehgohhoghhlvgdrtghomhdpihgvthhfrdhorhhgpdhgihhthhhusgdrih hopdhmnhhothdrnhgvthenucfkphepudduledrudejrdduheekrddvhedunecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhoth drnhgvth
X-ME-Proxy: <xmx:hs8DX01vj0pNCl29XATyTXnKXumjsM7r0RiiGuQcihcr8SFOby39Xw> <xmx:hs8DX_rpbfXZKj4vbOpOFkcdZKaOnuMFhDtUXEtpHeUfmXF7Mn9Zbw> <xmx:hs8DX5mnXgOdGAUxzBjysGDBZfMP8buKaE4tTiUv_dgmsYMzVXpmWA> <xmx:h88DXw-tv5R8ZAYmMmJUphBLKLQvvVGqh80lAJhYCHeWza17O4xM0Q>
Received: from macbook-air.mnot.net (119-17-158-251.77119e.mel.static.aussiebb.net [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id F3CCC3280059; Mon, 6 Jul 2020 21:27:33 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Message-Id: <02F32297-2211-40CD-828A-952148398DED@mnot.net>
Date: Tue, 07 Jul 2020 11:27:28 +1000
Cc: http-grease@ietf.org
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-grease/1Kjp2W85BpIEsY2oncRlxkLaZkg>
Subject: [Http-grease] Ossification and HTTP - call for participation
X-BeenThere: http-grease@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion about ensuring flexibility in HTTP extensions \(\"grease'\)" <http-grease.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-grease>, <mailto:http-grease-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-grease/>
List-Post: <mailto:http-grease@ietf.org>
List-Help: <mailto:http-grease-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-grease>, <mailto:http-grease-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2020 01:27:42 -0000

Hi folks,

There's been a background discussion about HTTP and ossification going on for a little while, as some vendors have encountered situations where they can't easily deploy new extensions.

To work through this, we're trying to engage with the Web Application Firewall (WAF) and similar communities to start a discussion around how we can mitigate the risks here while still allowing them to do what they're designed to do.

I've written  (with some help from others) a background document to attempt an explanation of the core issues in an 'open letter' style; see:
  https://docs.google.com/document/d/131eTq1eAdjUWGXV8JtF6o842rOod2l7K4NajwDdf-l0/edit?usp=sharing

That links to two Internet-Drafts of interest:
  - https://tools.ietf.org/html/draft-bishop-httpbis-grease
  - https://mnot.github.io/I-D/http-grease/

We've also created a mailing list for discussion of these issues, to try to get more engagement from the WAF community. See:
  https://www.ietf.org/mailman/listinfo/http-grease

If you're interested in these issues, please subscribe to that list. If you know any WAF vendors or related folks, please forward this to them; we'd love to bring them into the discussion.

Thanks,

--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email