Received: by ietfa.amsl.com (Postfix) id 87F14C14F698; Sun, 28 Jul 2024 06:35:56 -0700 (PDT) Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87345C14F5FB for ; Sun, 28 Jul 2024 06:35:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.856 X-Spam-Level: X-Spam-Status: No, score=-2.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="UoR4l941"; dkim=pass (2048-bit key) header.d=w3.org header.b="d+emYbnm"; dkim=pass (2048-bit key) header.d=gmail.com header.b="lP/BUxhv" Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63hY1WCMYx7m for ; Sun, 28 Jul 2024 06:35:52 -0700 (PDT) Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87954C14F5EF for ; Sun, 28 Jul 2024 06:35:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=/Lo95XpM2KMG/FiB2IwHNnU20/MGouu7FoqFA7L2H7I=; b=UoR4l941gLufmNnhFVjOvGOq09 Md7fjeybcsxAal+9KQzGfjwjF54Ez3b7pfQU+yzPLRLxQnjyQkg3U3K78KBqrOQ+hC2AIuzRt0KSq 52R1xw/iVYJhZLLgAP6n8fvm2xbbSiQX3omYH2p2AnFqOCAQ1Wigqnf3MvD1TuHVwK2Gl6SZ3RI7K sDZKRtM1+4rD/VAm4WSPHBdE6RgfmbuZHeWbxRVmzAeaQU9SgsNR7VRmT6sMnFnOqnr69urodCeq7 11bngEUkf3K1M3km0X1WgMn1QGAPAuCPxcZYRC66BQ7XKkoTYl1QbtGwLODpL0b77Xhhb88D648sv eTb/TNQQ==; Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from ) id 1sY431-00D7BE-2L for ietf-http-wg-dist@listhub.w3.org; Sun, 28 Jul 2024 13:34:51 +0000 Resent-Date: Sun, 28 Jul 2024 13:34:51 +0000 Resent-Message-Id: Received: from ip-10-0-0-224.ec2.internal ([10.0.0.224] helo=puck.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1sY42z-00D7AE-0o for ietf-http-wg@listhub.w3.internal; Sun, 28 Jul 2024 13:34:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=/Lo95XpM2KMG/FiB2IwHNnU20/MGouu7FoqFA7L2H7I=; t=1722173689; x=1723037689; b=d+emYbnmJbq5d8kST11XRiJkWUJtN9VZt3epIFT9oDrwLmXZ+F8rveNglYbPTbJbzGLOGH+Og8r i1/D06YRkw1qHCaFCn7Zw9vfULWCODE03AoHmbsdy1IyuG1U0Phk7QmXdE2yddGGMws4LHOLPXY6D OG8ERk+3H9hRM/pcOhlxfCETBZavcVn9xJWbHUqe1ein9HnnisNzxuQPjtm9PV+NhHOrmZ4X/y+I2 Ltx0ij5ZrILECws3JtB8mwprQFPZyC/JKsC3AC378+hHit3VWWbKIP3nDUjbyGz4+13kYeQczLjvT 91RYRRyjH0vBLYk85bUD7EDFzOUvlorGPC3A==; Received-SPF: pass (puck.w3.org: domain of gmail.com designates 2a00:1450:4864:20::633 as permitted sender) client-ip=2a00:1450:4864:20::633; envelope-from=patmeenan@gmail.com; helo=mail-ej1-x633.google.com; Received: from mail-ej1-x633.google.com ([2a00:1450:4864:20::633]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1sY42y-005RDf-1f for ietf-http-wg@w3.org; Sun, 28 Jul 2024 13:34:49 +0000 Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-a728f74c23dso386321066b.1 for ; Sun, 28 Jul 2024 06:34:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722173684; x=1722778484; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/Lo95XpM2KMG/FiB2IwHNnU20/MGouu7FoqFA7L2H7I=; b=lP/BUxhvlIAG77WR6R6q1gVQqT1I6B6PBWFLAiWx0YzEw6sqK/K9gkZCp1XMqxeByz KwRVRrs4v+DLUxuTktnK018+1Iuz0W9p3dmPnuM09f7kd+nFwaPaNh2OnxqiMAcNCjuy f+unaBioRZQiC8RICKYELv7j+Noohs7x0m1958Lnw/8ar/fZwkdmsfivN+fOiaod//1i n/EJBK5UN+a/WT1Q1n8p9nN191z/RbsclMiJwrp+IKB8B/9cvCrjJvX1hZGUGNcJELxO wvjLb/o87826IdNQyB0ZVGzp+jkdSEZj5pq5pHGTxjwrXewPjQbjIZAYr+ywHtINHOXz 3Tkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722173684; x=1722778484; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/Lo95XpM2KMG/FiB2IwHNnU20/MGouu7FoqFA7L2H7I=; b=Ac1EPTQgvmKkz421jVeobnE88U7/chc2EqDDPKykm+0AsTx3KEXzoslqzCfjXLKJkt Tf1PhJZxlYqq6gEg1dQ07Q3CXRuNpqbzzQ0IsGVYM/bGgvj2198OUntLZRuhLUopmmui d6C4bakaS0J/jh5U+pstb80mWUtLDluY2tWEd6tKd3I5nhlj4TeKtWdCuGazh/cvindt isT7nEtAnYfzhAyO19Ek16rqxlXlpk8JuIudc1m3J+1S3wiuNgHcfG1VV1ZWUq60ArOv eUCNLFUFCV553iMEmhWLuopUD5dczVZ8LMYUER8fVRiMZ01isirmySNO3Bf2dmGsIT4K KXwg== X-Forwarded-Encrypted: i=1; AJvYcCUC6+aTC9kq0BoiKFIxWk6LoR0nDq7oxm8J1DvKd2kCaylIqHHnK9AJBTjsIc2ACQdQT3HSFYKyqmtVLvXCt1xj/00r X-Gm-Message-State: AOJu0YyM2Vf1s/SFdRprP16XXpxBuL1rIJz8IplhG5y+gZRIg4f/v12A 9NB5SvU0o1VRg2CzWWGpXp+KrCHcvpirLNQX4JDY+Smii3ohGIqKpoJfnO84HBfxcYel7USoX9U P8gSHH8dl5/HwITluhTnNqYA+fBuj7YGp X-Google-Smtp-Source: AGHT+IElfYsc1TdKYQ2IG25xz75D0JeDCu4OfELAUU4NxKY8cHN+RRnBtIV67x8h/ZRw15IrjWzOGxq96fJfiXnOKcs= X-Received: by 2002:a17:907:3faa:b0:a7a:9f0f:ab2c with SMTP id a640c23a62f3a-a7d40087cdamr343078066b.29.1722173684062; Sun, 28 Jul 2024 06:34:44 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Patrick Meenan Date: Sun, 28 Jul 2024 09:34:32 -0400 Message-ID: To: Josh Cohen Cc: Julian Reschke , ietf-http-wg@w3.org Content-Type: multipart/alternative; boundary="000000000000ae212e061e4ece97" X-W3C-Hub-DKIM-Status: validation passed: (address=patmeenan@gmail.com domain=gmail.com), signature is good X-W3C-Hub-Spam-Status: No, score=-8.1 X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1 X-W3C-Scan-Sig: puck.w3.org 1sY42y-005RDf-1f e8aff554117966bfdc5f191d94195147 X-Original-To: ietf-http-wg@w3.org Subject: Re: Method Mania Archived-At: Resent-From: ietf-http-wg@w3.org X-Mailing-List: archive/latest/52162 X-Loop: ietf-http-wg@w3.org Resent-Sender: ietf-http-wg-request@w3.org Precedence: list List-Id: List-Help: List-Post: List-Unsubscribe: --000000000000ae212e061e4ece97 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sorry, I didn't mean to imply not to go forward or to necessarily find a way to thread the needle but to explicitly plan for there to be middle-boxes that break and to be deliberate about how to handle that case, even for HTTPS. Failing loudly, in obvious and testable ways is WAY better than failing silently or in random ways. It makes it much easier for IT teams and software vendors to identify the root cause and test fixes. It can also be good to force failures broadly rather than pick just a subset of the population for it to work on (like requiring IPv6 features). There will be some middleboxes with issues but there will be a lot more that don't have issues and it would artificially limit the reach of the feature if you disable it for all middlebox cases. I expect that new frame types for HTTP/2 and HTTP/3 would be more compatible than new methods just because devices are already parsing the existing headers and streams for content and would be more likely to error out when seeing a method they don't understand (but, odds are, new frames will have some number of devices that fail as well). We have seen it more often than I care to admit, with the rollouts for HTTP/2, brotli, post-quantum TLS and now with compression dictionaries (which, you'd think the brotli rollout would have prepared devices for handling content-encoding negotiation in a compatible way, but nope). The devices tend to fail the connections in painful ways, like closing the whole connection when it sees payload content it doesn't like (wiping out a bunch of multiplexed requests on a HTTP/2 connection for example). Here is the site we're currently sending IT admins to when they get reports of TLS failures with the post-quantum rollout (mostly because of broken middleboxes): https://tldr.fail/ I'd encourage the team to continue without trying to get too fancy, just expect there will be some ecosystem cleanup needed when it is rolled out and to plan for it. On Sun, Jul 28, 2024 at 1:33=E2=80=AFAM Josh Cohen wrote= : > Same here.. Patrick also said: >> >> "The better question is under what circumstances do we want to allow >> those devices to "break" and force them to fix the implementations?" > > > Maybe a reasonable interpretation of Patrick's statement is that it's tim= e > to be *bold. *HTTP/1.1 RFC2616 was published in 1999. It's the 25 year > anniversary. =F0=9F=A5=B3 In the intervening years, the IETF has done a = great job > evolving the transport. That's created the foundation for things we > couldn't do back then. I don't think it was a coincidence that Lisa > Dusseault was in the room. The universe is speaking to us. Maybe it's > time for a WebDAV re-spin.. The web could also have standardized pub/sub= . > > If we add new functionality that users and devs want, and makes admin lif= e > easier, that could be helpful in driving better implementations, and upta= ke > of HTTP/2/3 and masque proxying. > > > > > > On Sat, Jul 27, 2024 at 10:07=E2=80=AFPM Julian Reschke > wrote: > >> On 27.07.2024 16:44, Patrick Meenan wrote: >> > >> > >> > On Sat, Jul 27, 2024 at 4:23=E2=80=AFAM Julian Reschke > > > wrote: >> > >> > On 26.07.2024 00:27, Josh Cohen wrote: >> > > On the httpwg agenda at IETF 120 were a proposal for a new QUER= Y >> > method >> > > and Braid, which has subscription functionality that overloads >> > the GET >> > > method. >> > > >> > > What I am curious about is if, at this point in the evolution o= f >> the >> > > web, it is now safe to add new methods for new functionality. >> > I've been >> > > reading up on HTTP/2/3 and it seems that nowadays, connections >> are >> > > end-to-end secure and are essentially tunneled through middle >> boxes, >> > > including HTTP/1.1 proxies. I'm still just wrapping my head >> around >> > > MASQUE, but it looks like it can handle arbitrary methods. >> Similarly >> > > origin servers have evolved to support arbitrary methods. >> > >> > It always has been "safe", when https was used. >> > >> > >> > https is not "safe" in practical terms because of middleboxes that >> > intercept the connections. It is very common in enterprise deployments >> > where they install local trust anchors on the client devices and use >> > mitm software to inspect the traffic. >> > ... >> >> I meant "safe" wrt deploying new HTTP methods. >> >> When was the last time you encountered a problem? >> >> Best regards, Julian >> >> >> >> >> > > -- > > --- > *Josh Co*hen > > --000000000000ae212e061e4ece97 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Sorry, I didn't mean to imply not to go forward or to = necessarily find a way to thread the needle but to explicitly plan for ther= e to be middle-boxes that break and to be deliberate about how to handle th= at case, even for HTTPS.

Failing loudly, in obvious and = testable ways is WAY better than failing silently or in random ways. It mak= es it much easier for IT teams and software vendors to identify the root ca= use and test fixes. It can also be good to force failures broadly rather th= an pick just a subset of the population for it to work on (like requiring I= Pv6 features). There will be some middleboxes with issues but there will be= a lot more that don't have issues and it would artificially limit the = reach of the feature if you disable it for all middlebox cases.
<= br>
I expect that new frame types for HTTP/2 and HTTP/3 would be = more compatible than new methods just because devices are already parsing t= he existing headers and streams for content and would be more likely to err= or out when seeing a method they don't understand (but, odds are, new f= rames will have some number of devices that fail as well).

We have seen it more often than I care to admit, with the rollouts= for HTTP/2, brotli, post-quantum TLS and now with compression dictionaries= (which, you'd think the brotli rollout would have prepared devices for= handling content-encoding negotiation in a compatible way, but nope).

The devices tend to fail the connections in painful wa= ys, like closing the whole connection when it sees payload content it doesn= 't like (wiping out a bunch of multiplexed requests on a HTTP/2 connect= ion for example).

Here is the site we're curre= ntly sending IT admins to when they get reports of TLS failures with the po= st-quantum rollout (mostly because of broken middleboxes):=C2=A0https://tldr.fail/

I'd= encourage the team to continue without trying to get too fancy, just expec= t there will be some ecosystem cleanup needed when it is rolled out and to = plan for it.

On Sun, Jul 28, 2024 at 1:33=E2=80=AFAM Josh Cohen <joshco@gmail.com> wrote:
=
Same her= e..=C2=A0 Patrick also said:
"The better question is under what circumstances do we want to allow those devic= es to "break" and force them to fix the implementations?"

Maybe a reasonable interpretation of Patr= ick's statement is that it's time to be=C2=A0bold.=C2=A0=C2=A0HTTP/1.1 RFC2616 was published in 1999.=C2=A0 It's the 25 year annive= rsary.=C2=A0=F0=9F=A5=B3 =C2=A0In the intervening years, the IETF has done = a great job evolving the transport.=C2=A0 That's created the foundation= for things we couldn't do back then.=C2=A0 =C2=A0I don't think it = was a coincidence that Lisa Dusseault was in the room.=C2=A0 The universe i= s speaking to us.=C2=A0 Maybe it's time for a WebDAV re-spin..=C2=A0 Th= e web could also have standardized pub/sub.=C2=A0=C2=A0

If we add new functionality that users and devs want, and makes admin= life easier, that could be helpful in driving better implementations, and = uptake of HTTP/2/3 and masque proxying.


=



On Sat, Jul 27, 2024 at 10:07= =E2=80=AFPM Julian Reschke <julian.reschke@gmx.de> wrote:
On 27.07.2024 16:44, Patrick Meenan wro= te:
>
>
> On Sat, Jul 27, 2024 at 4:23=E2=80=AFAM Julian Reschke <julian.reschke@gmx.de > <mailto:= julian.reschke@gmx.de>> wrote:
>
>=C2=A0 =C2=A0 =C2=A0On 26.07.2024 00:27, Josh Cohen wrote:
>=C2=A0 =C2=A0 =C2=A0 > On the httpwg agenda at IETF 120 were a propo= sal for a new QUERY
>=C2=A0 =C2=A0 =C2=A0method
>=C2=A0 =C2=A0 =C2=A0 > and Braid, which has subscription functionali= ty that overloads
>=C2=A0 =C2=A0 =C2=A0the GET
>=C2=A0 =C2=A0 =C2=A0 > method.
>=C2=A0 =C2=A0 =C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 > What I am curious about is if, at this point = in the evolution of the
>=C2=A0 =C2=A0 =C2=A0 > web, it is now safe to add new methods for ne= w functionality.
>=C2=A0 =C2=A0 =C2=A0I've been
>=C2=A0 =C2=A0 =C2=A0 > reading up on HTTP/2/3 and it seems that nowa= days, connections are
>=C2=A0 =C2=A0 =C2=A0 > end-to-end secure and are essentially tunnele= d through middle boxes,
>=C2=A0 =C2=A0 =C2=A0 > including HTTP/1.1 proxies. I'm still jus= t wrapping my head around
>=C2=A0 =C2=A0 =C2=A0 > MASQUE, but it looks like it can handle arbit= rary methods.=C2=A0 Similarly
>=C2=A0 =C2=A0 =C2=A0 > origin servers have evolved to support arbitr= ary methods.
>
>=C2=A0 =C2=A0 =C2=A0It always has been "safe", when https was= used.
>
>
> https is not "safe" in practical terms because of middleboxe= s that
> intercept the connections. It is very common in enterprise deployments=
> where they install local trust anchors on the client devices and use > mitm software to inspect the traffic.
> ...

I meant "safe" wrt deploying new HTTP methods.

When was the last time you encountered a problem?

Best regards, Julian






--

---
<= b>Josh Cohen=C2=A0

--000000000000ae212e061e4ece97--