IETF Logo Mail Archive

RE: SNI Extension for Alt-Svc

Lucas Pardue <Lucas.Pardue@bbc.co.uk> Fri, 01 December 2017 18:27 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90A22124BFA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 1 Dec 2017 10:27:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.889
X-Spam-Level:
X-Spam-Status: No, score=-6.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G7TFGuhxuz2q for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 1 Dec 2017 10:27:20 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF0FE1286AB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 1 Dec 2017 10:27:19 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1eKpus-0000q1-Tx for ietf-http-wg-dist@listhub.w3.org; Fri, 01 Dec 2017 18:20:02 +0000
Resent-Date: Fri, 01 Dec 2017 18:20:02 +0000
Resent-Message-Id: <E1eKpus-0000q1-Tx@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <Lucas.Pardue@bbc.co.uk>) id 1eKpud-0008Nj-Rc for ietf-http-wg@listhub.w3.org; Fri, 01 Dec 2017 18:19:47 +0000
Received: from mailout1.cwwtf.bbc.co.uk ([132.185.160.180]) by titan.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <Lucas.Pardue@bbc.co.uk>) id 1eKpub-0003eW-O9 for ietf-http-wg@w3.org; Fri, 01 Dec 2017 18:19:47 +0000
Received: from BGB01XI1001.national.core.bbc.co.uk ([10.184.50.51]) by mailout1.cwwtf.bbc.co.uk (8.15.2/8.15.2) with ESMTP id vB1IJFEH010601; Fri, 1 Dec 2017 18:19:15 GMT
Received: from BGB01XI1015.national.core.bbc.co.uk (10.161.14.78) by BGB01XI1001.national.core.bbc.co.uk (10.184.50.51) with Microsoft SMTP Server (TLS) id 14.3.361.1; Fri, 1 Dec 2017 18:19:15 +0000
Received: from BGB01XUD1012.national.core.bbc.co.uk ([10.161.14.10]) by BGB01XI1015.national.core.bbc.co.uk ([10.161.14.78]) with mapi id 14.03.0361.001; Fri, 1 Dec 2017 18:19:15 +0000
From: Lucas Pardue <Lucas.Pardue@bbc.co.uk>
To: Mike Bishop <mbishop@evequefou.be>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
Thread-Topic: SNI Extension for Alt-Svc
Thread-Index: AdNqA3gwKumJHfvEQQWiuzGoNk95hwAmMw2gAAxYAQAAALwbQA==
Date: Fri, 01 Dec 2017 18:19:14 +0000
Message-ID: <7CF7F94CB496BF4FAB1676F375F9666A3BAA0867@bgb01xud1012>
References: <MWHPR08MB243210349ABEB2B0E48123E0DA380@MWHPR08MB2432.namprd08.prod.outlook.com> <7CF7F94CB496BF4FAB1676F375F9666A3BAA07FE@bgb01xud1012> <MWHPR08MB24323BD99104FB0EA7F0B75ADA390@MWHPR08MB2432.namprd08.prod.outlook.com>
In-Reply-To: <MWHPR08MB24323BD99104FB0EA7F0B75ADA390@MWHPR08MB2432.namprd08.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.19.161.213]
X-TM-AS-Product-Ver: SMEX-11.0.0.4255-8.100.1062-23504.001
X-TM-AS-Result: No--26.879800-0.000000-31
X-TM-AS-User-Approved-Sender: Yes
X-TM-AS-User-Blocked-Sender: No
Content-Type: multipart/alternative; boundary="_000_7CF7F94CB496BF4FAB1676F375F9666A3BAA0867bgb01xud1012_"
MIME-Version: 1.0
X-EXCLAIMER-MD-CONFIG: c91d45b2-6e10-4209-9543-d9970fac71b7
X-EXCLAIMER-MD-CONFIG: 1cd3ac1c-62e5-43f2-8404-6b688271c769
Received-SPF: pass client-ip=132.185.160.180; envelope-from=Lucas.Pardue@bbc.co.uk; helo=mailout1.cwwtf.bbc.co.uk
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=0.284, BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01, W3C_NW=0.5
X-W3C-Scan-Sig: titan.w3.org 1eKpub-0003eW-O9 39a34161ae735ae57e8587183a9d4ddd
X-Original-To: ietf-http-wg@w3.org
Subject: RE: SNI Extension for Alt-Svc
Archived-At: <https://www.w3.org/mid/7CF7F94CB496BF4FAB1676F375F9666A3BAA0867@bgb01xud1012>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/34907
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

The two pieces are inter-related.  The parameter recommends using a different SNI, which therefore isn’t guaranteed to get you the certificate you actually need to verify.  As Ilari pointed out, it might still be the right certificate – but if it’s not, you need a channel to retrieve the correct one post-handshake.

Right. Is that possible with HTTP/1.1? I.e. through renegotiation or something?

Lucas

From: Lucas Pardue [mailto:Lucas.Pardue@bbc.co.uk]
Sent: Friday, December 1, 2017 6:28 AM
To: Mike Bishop <mbishop@evequefou.be<mailto:mbishop@evequefou.be>>
Cc: Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>>; HTTP Working Group <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>; Patrick McManus <mcmanus@ducksong.com<mailto:mcmanus@ducksong.com>>
Subject: RE: SNI Extension for Alt-Svc

Apologies for dropping you in it ;)

I do see where you’re coming from about frames. I’m not sure I 100% agree for the reasons outlined below. Perhaps a notational convention qualifying what Frame means would be enough (the one in RFC7540 is almost generic). I think there is some subtlety with frames that operate in a context of request/response, and those that operate in the context of connection.  The latter were defined in HTTP/2 as a replacement for Connection-specific header fields.

The way I read SNI Alt-Svc handling is two parts. Part 1 says a client should include SNI in the TLS handshake, part 2 seems to rely the Secondary Certificate Authentication in HTTP/2 I-D;  a Client SHOULD send a CERTIFICATE_REQUEST, and settings should be valid. Should a client that processes the sni parameter support both parts, or may it do either individually?

I’d argue that part 2 is currently restricted to a HTTP mapping that is capable of carrying Connection-level frames and settings. Alt-Svc adverts for “http/1.1” probably couldn’t do part 2. “quic” and “hq” could not support part 2 until someone defines an equivalent frame and setting in that mapping.

Lucas

From: Mike Bishop [mailto:mbishop@evequefou.be]
Sent: 30 November 2017 17:57
To: Lucas Pardue <Lucas.Pardue@bbc.co.uk<mailto:Lucas.Pardue@bbc.co.uk>>
Cc: Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>>; HTTP Working Group <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>; Patrick McManus <mcmanus@ducksong.com<mailto:mcmanus@ducksong.com>>
Subject: SNI Extension for Alt-Svc


I was already planning to spin up a thread on that draft today, so thanks for deciding what I'm doing next today!  😉  Forking a separate thread.



WG, https://tools.ietf.org/html/draft-bishop-httpbis-sni-altsvc-00 proposes a new parameter for Alt-Svc suggesting that a client use a different (presumably generic) hostname in the TLS SNI extension, and instead gain Alt-Svc "reasonable assurances" by requesting the origin's certificate via Secondary Certificates (which is currently under Call for Adoption).  It gives a solution, albeit HTTP-specific, to SNI privacy by providing a discoverability path for which generic hostname can be used to reach a more sensitive origin under encryption.



As to the frame reference, I intentionally didn't reference which protocol, in part because Alt-Svc itself says it can be carried by various mechanisms and the definition of an Alt-Svc extension doesn't need to get into that layer.  The Alt-Svc frame for HTTP/QUIC is specified by https://tools.ietf.org/html/draft-bishop-httpbis-altsvc-quic-00.  While frames are present in both HTTP/2 and HTTP/QUIC, I don't think that makes frames a generic HTTP concept -- it's a property of certain mappings, and specified individually in each of them.



-----Original Message-----
From: Lucas Pardue [mailto:Lucas.Pardue@bbc.co.uk]
Sent: Thursday, November 30, 2017 2:13 AM
To: Mike Bishop <mbishop@evequefou.be<mailto:mbishop@evequefou.be>>; ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>
Cc: Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>>; HTTP Working Group <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>; Patrick McManus <mcmanus@ducksong.com<mailto:mcmanus@ducksong.com>>
Subject: RE: DRAFT: more details for HTTPtre



Hi Mike,



The connection coalescing case is interesting as it's not currently described in HTTP/QUIC. Presumably by oversight or time constraint rather than intent. (We've got a ticket open tracking that one.)



Changing track, I've just seen your SNI I-D

https://tools.ietf.org/html/draft-bishop-httpbis-sni-altsvc-00



References to Frames don't state a specific mapping (HTTP/2 or HTTP/QUIC). Reading between the lines this seems intentional, which got me thinking that also Frames could be described as a new HTTP semantic for binary-capable wire formats.



Lucas



----------------------------

http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

---------------------

v2.23.0 | Report a Bug | By Email