Re: [http-state] the "state" in http-state

Thomas Fossati <tho@koanlogic.com> Thu, 09 June 2011 22:33 UTC

Return-Path: <tho@koanlogic.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4A9D21F8473 for <http-state@ietfa.amsl.com>; Thu, 9 Jun 2011 15:33:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.505
X-Spam-Level: *
X-Spam-Status: No, score=1.505 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1, SARE_RECV_IP_069060096=1.666]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XIIYp1TV43dL for <http-state@ietfa.amsl.com>; Thu, 9 Jun 2011 15:33:25 -0700 (PDT)
Received: from gonzo.koanlogic.com (unknown [69.60.118.166]) by ietfa.amsl.com (Postfix) with ESMTP id 0CD9F21F8471 for <http-state@ietf.org>; Thu, 9 Jun 2011 15:33:24 -0700 (PDT)
Received: from host228-48-dynamic.47-79-r.retail.telecomitalia.it ([79.47.48.228]:58663 helo=[192.168.1.3]) by sp2844.serverpronto.com with esmtpsa (TLS-1.0:RSA_AES_128_CBC_SHA:16) (Exim 4.50) id 1QUnmu-0003FQ-7U; Thu, 09 Jun 2011 18:33:23 -0400
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Thomas Fossati <tho@koanlogic.com>
In-Reply-To: <03b101cc26cc$9635bdb0$c2a13910$@packetizer.com>
Date: Fri, 10 Jun 2011 00:33:28 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <E0D78F01-497D-401D-B619-4C0CF6DB8F4A@koanlogic.com>
References: <18AD8547-9778-47DB-8D16-AEB9477F6640@koanlogic.com> <03b101cc26cc$9635bdb0$c2a13910$@packetizer.com>
To: "Paul E. Jones" <paulej@packetizer.com>
X-Mailer: Apple Mail (2.1084)
X-SA-Exim-Connect-IP: 79.47.48.228
X-SA-Exim-Mail-From: tho@koanlogic.com
X-Spam-DCC: :
X-Spam-Pyzor: Reported 0 times.
X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
X-SA-Exim-Scanned: Yes (on sp2844.serverpronto.com)
Cc: 'IETF HTTP State WG' <http-state@ietf.org>
Subject: Re: [http-state] the "state" in http-state
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2011 22:33:25 -0000

On Jun 9, 2011, at 7:42 PM, Paul E. Jones wrote:
> My personal opinion is that we need something that integrates well with HTTP
> *if* there is agreement that we need something that works outside of TLS.

Exactly.

> Question is, should we just say that TLS is must be used and not use
> non-secure connections when state management is necessary?  I've seen TLS
> significantly degrade the performance of servers, though I just saw a
> posting this week suggesting TLS does not degrade server performance.

Basically, it depends on how it is used: certificate key sizing, ciphersuites, number of intermediate certs up to the root, OCSP response caching, etc. all of these can tell apart a nearly no-overhead TLS from a huge burden placed over the HTTP transaction.

I don't know if any such document already exist, but in this respect we could provide some guidelines for TLS trimming in order to provide reasonably good performance with HTTP.  
It'd be a useful resource for both web application deployers and browser implementers.

> Are the reasons for integrating state management functionality in HTTP aside
> from TLS performance concerns?


Basically, some times ago my concern was the mere existence of a TLS stack fitting constrained/embedded contexts.
CyaSSL radically changed my perspective.

t.