Roman Danyliw's No Objection on draft-ietf-httpbis-cache-16: (with COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Thu, 10 June 2021 12:41 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BB2A3A11C8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 10 Jun 2021 05:41:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.648
X-Spam-Level:
X-Spam-Status: No, score=-2.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2mG4_gafKiHw for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 10 Jun 2021 05:41:38 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7899A3A11CA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 10 Jun 2021 05:41:38 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1lrJtd-0005kw-2l for ietf-http-wg-dist@listhub.w3.org; Thu, 10 Jun 2021 12:35:00 +0000
Resent-Date: Thu, 10 Jun 2021 12:34:53 +0000
Resent-Message-Id: <E1lrJtd-0005kw-2l@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <noreply@ietf.org>) id 1lrJqi-0005Eu-Fz for ietf-http-wg@listhub.w3.org; Thu, 10 Jun 2021 12:32:21 +0000
Received: from mail.ietf.org ([4.31.198.44]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <noreply@ietf.org>) id 1lrJpe-0000ZK-Bb for ietf-http-wg@w3.org; Thu, 10 Jun 2021 12:31:34 +0000
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C5973A114C; Thu, 10 Jun 2021 05:30:35 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-httpbis-cache@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, mt@lowentropy.net, mt@lowentropy.net
X-Test-IDTracker: no
X-IETF-IDTracker: 7.31.0
Auto-Submitted: auto-generated
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <162332823475.15098.14942237085665451828@ietfa.amsl.com>
Date: Thu, 10 Jun 2021 05:30:35 -0700
Received-SPF: pass client-ip=4.31.198.44; envelope-from=noreply@ietf.org; helo=mail.ietf.org
X-W3C-Hub-Spam-Status: No, score=-6.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1lrJpe-0000ZK-Bb ba281bc759e4821ed8ab2562257d73c8
X-Original-To: ietf-http-wg@w3.org
Subject: Roman Danyliw's No Objection on draft-ietf-httpbis-cache-16: (with COMMENT)
Archived-At: <https://www.w3.org/mid/162332823475.15098.14942237085665451828@ietfa.amsl.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38880
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Roman Danyliw has entered the following ballot position for draft-ietf-httpbis-cache-16: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-httpbis-cache/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks to Derek Atkins for the SECDIR review. ** Section 7. It would be worth mentioning that user-agents that have interactive human users such as browsers should provide a means to explicitly purge the contents local cache. ** Section 7. Per “Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious exploitation”, do you mean “expose an additional attack surface” (rather than “potential vulnerability”)? ** Section 7.1. Per “Various attacks might be amplified by being stored in a cache”, this text is vague. Is there a specific amplification tied to given attack being suggested here, or is this meant to suggest that the presence of a malicious payload in a cache seeded by an attacker could reach multiple users? ** Section 7.2. Recommend being clearer on the threat rather than the attack vector (“timing attack”): OLD This is sometimes called "double keying." NEW This is sometimes called "double keying” and provides isolation between cross-origin content.
- Roman Danyliw's No Objection on draft-ietf-httpbi… Roman Danyliw via Datatracker