Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

Kari hurtta <hurtta-ietf@elmme-mailer.org> Sat, 08 October 2016 05:46 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78F801294EE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 7 Oct 2016 22:46:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.916
X-Spam-Level:
X-Spam-Status: No, score=-9.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id btXt3XMXjABY for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 7 Oct 2016 22:46:45 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F6361294A6 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 7 Oct 2016 22:46:44 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bskPA-0000Ie-3C for ietf-http-wg-dist@listhub.w3.org; Sat, 08 Oct 2016 05:42:40 +0000
Resent-Date: Sat, 08 Oct 2016 05:42:40 +0000
Resent-Message-Id: <E1bskPA-0000Ie-3C@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <khurtta@welho.com>) id 1bskP4-0000GP-Hm for ietf-http-wg@listhub.w3.org; Sat, 08 Oct 2016 05:42:34 +0000
Received: from welho-filter2.welho.com ([83.102.41.24]) by maggie.w3.org with esmtp (Exim 4.80) (envelope-from <khurtta@welho.com>) id 1bskOz-00036V-QZ for ietf-http-wg@w3.org; Sat, 08 Oct 2016 05:42:33 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id F0B5A133A6; Sat, 8 Oct 2016 08:42:01 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id EaYo2-HWLDvN; Sat, 8 Oct 2016 08:42:00 +0300 (EEST)
Received: from hurtta09lk.keh.iki.fi (89-27-35-245.bb.dnainternet.fi [89.27.35.245]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPS id 71DC0C4; Sat, 8 Oct 2016 08:42:00 +0300 (EEST)
In-Reply-To: <20161004160321.DFB4C111E5@welho-filter1.welho.com>
References: <20161004160321.DFB4C111E5@welho-filter1.welho.com>
To: HTTP working group mailing list <ietf-http-wg@w3.org>
Date: Sat, 8 Oct 2016 08:42:00 +0300 (EEST)
Sender: hurtta@hurtta09lk.keh.iki.fi
From: Kari hurtta <hurtta-ietf@elmme-mailer.org>
CC: Kari hurtta <hurtta-ietf@elmme-mailer.org>
X-Mailer: ELM [version ME+ 2.5 PLalpha42]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20161008054201.F0B5A133A6@welho-filter2.welho.com>
Received-SPF: none client-ip=83.102.41.24; envelope-from=khurtta@welho.com; helo=welho-filter2.welho.com
X-W3C-Hub-Spam-Status: No, score=-6.5
X-W3C-Hub-Spam-Report: AWL=0.043, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.676, W3C_AA=-1, W3C_WL=-1, WEIRD_PORT=0.001
X-W3C-Scan-Sig: maggie.w3.org 1bskOz-00036V-QZ 817d9f24e7fef95961ccc3ce2281b6bf
X-Original-To: ietf-http-wg@w3.org
Subject: Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Archived-At: <http://www.w3.org/mid/20161008054201.F0B5A133A6@welho-filter2.welho.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32528
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> 
> > There's also a htmlized version available at:
> > https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-07
> 
> 2.  Using HTTP URIs over TLS
> https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-07#section-2
> 
> |    An origin server that supports the resolution of "http" URIs can
> |    indicate support for this specification by providing an alternative
> |    service advertisement [RFC7838] for a protocol identifier that uses
> |    TLS, such as "h2" [RFC7540].
> 
> This allows also other than "h2" (for example "http/1.1", which
> is HTTP/1.1 over TLS).
> 
> 2.1.  Alternative Server Opt-In
> https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-07#section-2.1
> 
> |    Clients MUST NOT send "http" requests over a connection with the "h2"
> |    protocol identifier, unless they have obtained a valid http-
> |    opportunistic response for an origin (as per Section 2.3), and:
> 
> But this part is specific to "h2".

Continuing.

|   Clients MUST NOT send "http" requests over a connection with the "h2"
|   protocol identifier, unless they have obtained a valid http-
|   opportunistic response for an origin (as per Section 2.3), and:

 ⇒

  When client send "http" requests over a TLS connection request
  request MUST include scheme. This means that when used with 
  protocol identifier "http/1.1" (TTP/1.1 over TLS), request uses 
  absoluteURI -form.

  Client SHOULD NOT use a http-opportunistic response if requesting
  of it invoked http-redirect.

  Clients MUST NOT send "http" requests over a TLS connection, unless
  they have obtained a valid http-opportunistic response for an origin 
  (as per Section 2.3), and:

(Also "SHOULD NOT" was suggested, I have no strong position for this.)

|   o  The chosen alternative service presents a certificate that is
|      valid for the origin, as per [RFC2818] (this also establishes
|      "reasonable assurances" for the purposes of {RFC7838}}), and

  ⇒ (no change)

|   o  The origin object of the http-opportunistic response has a `tls-
|      ports' member, whose value is an array of numbers, one of which
|      matches the port of the alternative service in question, and

  ⇒

   o  The origin object of the http-opportunistic response has a 
      "http-scheme-listeners" member, whose value is an array of 
      strings, one of which matches the name and port number of the 
      alternative service in question (on form "name:port"), and

( I suggested "mixed-scheme-listeners" -name first.
  https://lists.w3.org/Archives/Public/ietf-http-wg/2016OctDec/0056.html
)

|   o  The chosen alternative service returns the same representation as
|      the origin did for the http-opportunistic resource.

   ⇒ (no change)  

|   For example, this request/response pair would allow reqeusts for the
|   origin "http://www.example.com" to be sent to an alternative service
|   on port 443 or 8000 of the host "www.example.com":

   ⇒ 

   For example, this request/response pair would allow reqeusts for the
   origin "http://www.example.com" to be sent to an alternative service
   on port 443 of the host "www.example.com" or on port 8000 of the host 
   "www2.example.com":

|   GET /.well-known/http-opportunistic HTTP/1.1
|   Host: www.example.com
|
|   HTTP/1.1 200 OK
|   Content-Type: application/json
|   Connection: close
|
|   {
|     "http://www.example.com": {
|       "tls-ports": [443, 8000],
|       "lifetime": 2592000
|     }
|   }

   ⇒ 

   GET http://www.example.com/.well-known/http-opportunistic HTTP/1.1

   HTTP/1.1 200 OK
   Content-Type: application/json
   Connection: close

   {
     "http://www.example.com": {
       "http-scheme-listeners": [ "www.example.com:443", "www2.example.com:8000" ],
       "lifetime": 2592000
     }
   }


(Should "lifetime" also be dropped?)


2.3.  The "http-opportunistic" well-known URI
https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-07#section-2.3

|   o  The origin object has a "lifetime" member, whose value is a number
|      indicating the number of seconds which the origin object is valid
|      for (hereafter, the "origin object lifetime"), and
|
|   o  The origin object lifetime is greater than the "current_age" (as
|      per [RFC7234], Section 4.2.3).
|
|   Note that origin object lifetime might differ from the freshness
|   lifetime of the response.

It is noted "lifetime" member is no longer needed because there is no commit.
Then this request some rewrite, but I not try it now.


This means that http-opportunistic response have members
"mixed-scheme" and "http-scheme-listeners" members on the 
the origin object.

/ Kari Hurtta