Received: by ietfa.amsl.com (Postfix) id DFAFDC14F6FD; Sat, 27 Jul 2024 07:45:50 -0700 (PDT) Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEDA9C14F68C for ; Sat, 27 Jul 2024 07:45:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.859 X-Spam-Level: X-Spam-Status: No, score=-7.859 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="X6KKPxYb"; dkim=pass (2048-bit key) header.d=w3.org header.b="Cfl+WU1G"; dkim=pass (2048-bit key) header.d=gmail.com header.b="g/0RVzHu" Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c6BAn34uKh5T for ; Sat, 27 Jul 2024 07:45:50 -0700 (PDT) Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43313C14F61E for ; Sat, 27 Jul 2024 07:45:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=1N4plOBBksTWQfVvBO3p4SDDfFeVfhAprntCT2+taZ0=; b=X6KKPxYbCKKCgFz2aSINUrRj4C duHbLgHtvvAHdBii1dB2rNbQsaZAVgFBi90x9pfBSzgg1q0gu2WCoSdTp7zjKuwObh7huLtrvxBlz BOQBP77m9JexS5vfm7PDICk8iQP1TZ0iq1BznSJa8gEXpMrIZ4QuQVYgwKoFFxd5cC9693sqVnIgP FAgQukJ1vFC8AHDnYhnvFU/mXUBb2Gjb1gaLiEOVr6BorowPmL62Hyq7k7Rd2oSbZrmVTjqdlhHAs 8rwd8SticzJtuIv7PAtKYdtf3gacZy7XW4ev0H3UTcVPCWEAfC+TIin7dx2CvBpjyBYOS5Ud7vFqs eOF1qVIA==; Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from ) id 1sXifV-00BYTQ-1U for ietf-http-wg-dist@listhub.w3.org; Sat, 27 Jul 2024 14:45:09 +0000 Resent-Date: Sat, 27 Jul 2024 14:45:09 +0000 Resent-Message-Id: Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1sXifT-00BYSV-0o for ietf-http-wg@listhub.w3.internal; Sat, 27 Jul 2024 14:45:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=1N4plOBBksTWQfVvBO3p4SDDfFeVfhAprntCT2+taZ0=; t=1722091507; x=1722955507; b=Cfl+WU1Gcc0SLhPVhdBjSEckLSdMKyXtJYiRGC7Fg4aauMm6Mh3OPh8DL/DgK68w/Km4iTuWt2s buQmEAsIhv4Eocjviy4ViioB78AQd5RrElliDqFJSkraKkZsXQbcP0NK+CakxisQVwqb7IEergTix 7uC+JlDxrbotj9LKZht9SKAN/WBc2bddUiL6UxOQ27mXr4+P2GsrbgZ3eVdCG0riviMMvlpWcry6p UfMXdOODc04bDG9IaWIw0yk3LN8n/0gXceJTjTef87I8Ub31VGsZFTQ6QDBK7C4yWgpIELPU/GR+g MdkYzY6ymrxjvoQby8awJWHXHgqC/ga/Bmfg==; Received-SPF: pass (pan.w3.org: domain of gmail.com designates 2a00:1450:4864:20::135 as permitted sender) client-ip=2a00:1450:4864:20::135; envelope-from=patmeenan@gmail.com; helo=mail-lf1-x135.google.com; Received: from mail-lf1-x135.google.com ([2a00:1450:4864:20::135]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1sXifS-00DcAj-2L for ietf-http-wg@w3.org; Sat, 27 Jul 2024 14:45:07 +0000 Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-52f04c1e58eso2804334e87.3 for ; Sat, 27 Jul 2024 07:45:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722091502; x=1722696302; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1N4plOBBksTWQfVvBO3p4SDDfFeVfhAprntCT2+taZ0=; b=g/0RVzHutLs1jlv3mv6jdKP7e/42+zJO6vHh840SLTwXbZrTPYOvixnOdFyghq7Sdl GkCn9C6AO0eAO9LS3xLV+mJl4H/1qmy2O9LSZ2I4lwnJnx2Y+D82FQcxQsRbuA46hvOR kHVT4svX3MpNn7QTQhNsIpQMbh1AYtDKSvXWChhYeIEJ1fGIIwrtBMvCt27LsBwiQxw1 0sUEMpKytxUOxMLCbYTQayRsKnTdWfu4bCal3qtsI3WX8E9f+YFUHTMx+ys7Zg6CcMWV 4IODio97Wqg3d2KEv0gnZ2bs/HoCzvuoNXQuST+Y5VPu7O0osBqjcnP0GDtiW/or1eBD hl6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722091502; x=1722696302; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1N4plOBBksTWQfVvBO3p4SDDfFeVfhAprntCT2+taZ0=; b=HI36Qg/XanpOMxKEQvUos6IZjd8sDTXZqgRDmXQ9jghsmwCPDLvX4Q51/wq9CY4bZU yYg8ggpICw0ZnA503EghFW+Lq4AYy9oJIj/i9FEKPuqS31CFU+O2l9pC40Ljm/2CLyDv kqDzWxqiyrkKcECSWgAL/CD1+3JCR2X4ECVVBkMuFDMwQLnSbzqyb6ybD59TVTUMWEb2 GCAcYDmxcq4SeQ5Q34V17m/YiEXVUDQY0DvAAcLc4N0bxhn0IE8bgJN+UiOOyevRsUMD qLTGiHgJnZeB8l7xpMTvRhPKpALR/LLyC4cLIwtJXWFmxLiEregnko3HLw0r5MjytBf3 /xCw== X-Gm-Message-State: AOJu0Yzmj/UJaAs2QV4Ba1w22NR66219E6FJR4s6O48QcYxWotpCyypl cCzr2fbWDPg9vsnPgVsmrUJum8u/grSajzJHIuldxsOMxRio9Rzzj4KbyVqeee7VvoXD14S5mht WLu8AkvCxcjoUn1uiBvTzDQB3nLc= X-Google-Smtp-Source: AGHT+IGaG1BbtVJ10vMgFyh1ZwmOwsej+BUoT0VEmdc6SqRvfQwDGPEw89hIIJbcXImFGn18b60qsqAX1fUk+6RLAMc= X-Received: by 2002:a19:ae17:0:b0:52e:932d:88ab with SMTP id 2adb3069b0e04-5309b28071cmr2114682e87.23.1722091501996; Sat, 27 Jul 2024 07:45:01 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Patrick Meenan Date: Sat, 27 Jul 2024 10:44:50 -0400 Message-ID: To: Julian Reschke Cc: ietf-http-wg@w3.org Content-Type: multipart/alternative; boundary="0000000000003f5650061e3bac5c" X-W3C-Hub-DKIM-Status: validation passed: (address=patmeenan@gmail.com domain=gmail.com), signature is good X-W3C-Hub-Spam-Status: No, score=-9.1 X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1 X-W3C-Scan-Sig: pan.w3.org 1sXifS-00DcAj-2L 671b6cad364f559989f622c990e5f140 X-Original-To: ietf-http-wg@w3.org Subject: Re: Method Mania Archived-At: Resent-From: ietf-http-wg@w3.org X-Mailing-List: archive/latest/52156 X-Loop: ietf-http-wg@w3.org Resent-Sender: ietf-http-wg-request@w3.org Precedence: list List-Id: List-Help: List-Post: List-Unsubscribe: --0000000000003f5650061e3bac5c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, Jul 27, 2024 at 4:23=E2=80=AFAM Julian Reschke wrote: > On 26.07.2024 00:27, Josh Cohen wrote: > > On the httpwg agenda at IETF 120 were a proposal for a new QUERY method > > and Braid, which has subscription functionality that overloads the GET > > method. > > > > What I am curious about is if, at this point in the evolution of the > > web, it is now safe to add new methods for new functionality. I've been > > reading up on HTTP/2/3 and it seems that nowadays, connections are > > end-to-end secure and are essentially tunneled through middle boxes, > > including HTTP/1.1 proxies. I'm still just wrapping my head around > > MASQUE, but it looks like it can handle arbitrary methods. Similarly > > origin servers have evolved to support arbitrary methods. > > It always has been "safe", when https was used. https is not "safe" in practical terms because of middleboxes that intercept the connections. It is very common in enterprise deployments where they install local trust anchors on the client devices and use mitm software to inspect the traffic. Even HTTP/2 is not necessarily "safe" as we are seeing with the deployment of compression dictionaries as there are enterprise mitm devices that inspect HTTP/2 traffic as well (and in our case, reset connections when they see a content-encoding they don't understand). The better question is under what circumstances do we want to allow those devices to "break" and force them to fix the implementations? HTTP/S (or just H/2/3 if you want to be less intrusive) could be considered reasonable because the proxies are under the control of the site (CDN) or environment where they are being run (enterprise) and there's not random gear spread elsewhere in the Internet that needs to be tracked down. The site-level is generally easy (don't use the new features on a given site if the serving path doesn't support it) but cleaning up the enterprise ecosystem can be a nightmare and a much bigger case of whack-a-mole. The alternative (that Chrome uses for HTTP/3) is to only use the new feature when the connection is TLS-anchored to a well-known trust root (no middleboxes on the client end) but that is allowing some portion of the Internet to continue to operate "broken" infrastructure. --0000000000003f5650061e3bac5c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Sat, Jul 27, 2024 at 4:23=E2=80=AF= AM Julian Reschke <julian.resch= ke@gmx.de> wrote:
On 26.07.2024 00:27, Josh Cohen wrote:
> On the httpwg agenda at IETF 120 were a proposal for a new QUERY metho= d
> and Braid, which has subscription functionality that overloads the GET=
> method.
>
> What I am curious about is if, at this point in the evolution of the > web, it is now safe to add new methods for new functionality. I've= been
> reading up on HTTP/2/3 and it seems that nowadays, connections are
> end-to-end secure and are essentially tunneled through middle boxes, > including HTTP/1.1 proxies. I'm still just wrapping my head around=
> MASQUE, but it looks like it can handle arbitrary methods.=C2=A0 Simil= arly
> origin servers have evolved to support arbitrary methods.

It always has been "safe", when https was used.
=
https is not "safe" in practical terms because of = middleboxes that intercept the connections. It is very common in enterprise= deployments where they install local trust anchors on the client devices a= nd use mitm software to inspect the traffic.

Even = HTTP/2 is not necessarily "safe" as we are seeing with the deploy= ment of compression dictionaries as there are enterprise mitm devices that = inspect HTTP/2 traffic as well (and in our case, reset connections when the= y see a content-encoding they don't understand).

The better question is under what circumstances do we want to allow thos= e devices to "break" and force them to fix the implementations? H= TTP/S (or just H/2/3 if you want to be less intrusive) could be considered = reasonable because the proxies are under the control of the site (CDN) or e= nvironment where they are being run (enterprise) and there's not random= gear spread elsewhere in the Internet that needs to be tracked down.=C2=A0= The site-level is generally easy (don't use the new features on a give= n site if the serving path doesn't support it) but cleaning up the ente= rprise ecosystem can be a nightmare and a much bigger case of whack-a-mole.=

The alternative (that Chrome uses for HTTP/3) is = to only use the new feature when the connection is TLS-anchored to a well-k= nown trust root (no middleboxes on the client end) but that is allowing som= e portion of the Internet to continue to operate "broken" infrast= ructure.
--0000000000003f5650061e3bac5c--