Ossification and HTTP - call for participation

Mark Nottingham <mnot@mnot.net> Tue, 07 July 2020 01:31 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3DF73A084B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 6 Jul 2020 18:31:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.749
X-Spam-Level:
X-Spam-Status: No, score=-2.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=RQmQWmLs; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Xh5mIKN0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W1jNHp4RnkQ3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 6 Jul 2020 18:31:18 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0AB83A084A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 6 Jul 2020 18:31:17 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jscOq-0006A0-8T for ietf-http-wg-dist@listhub.w3.org; Tue, 07 Jul 2020 01:27:56 +0000
Resent-Date: Tue, 07 Jul 2020 01:27:56 +0000
Resent-Message-Id: <E1jscOq-0006A0-8T@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1jscOo-00069A-5H for ietf-http-wg@listhub.w3.org; Tue, 07 Jul 2020 01:27:54 +0000
Received: from wout1-smtp.messagingengine.com ([64.147.123.24]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1jscOm-0007VC-8L for ietf-http-wg@w3.org; Tue, 07 Jul 2020 01:27:54 +0000
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 4DB06632; Mon, 6 Jul 2020 21:27:36 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 06 Jul 2020 21:27:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=from :content-type:content-transfer-encoding:mime-version:subject :message-id:date:cc:to; s=fm3; bh=TwvDLv9y0nfj3UuTL9YP2iqbowzhgm npb4mYmAEZX3c=; b=RQmQWmLsjZjVe021+9PDJ4AuKwEvCuwL+s21yYCVU8+qjR tljPUMye+/KaumRn31XAJhR1xf9+qvTHCY6SgkN/P4vDXRe+Fysmihs2wNfnLTjS YWn04YT7ntxU9Qrm67TfIemQnm6RSHXwvqArTSaE0nFCMDIF7//i4vtFLFU/BopG RmVl/G8JbwoXsqW9kccPIsE7jCCTqVneA1facP9v+ws4Pp6+NbI1FRdi4Xspugwg kniDGnWsjlOlBlsXW36XT09JsCEXTDjuEJDsoXsF4nwBtaDAmZ+fbnq94PHo5fBv fGK81XJHnMNwq3bUvWDVhScK4ygesl/GM/zhc4qQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=TwvDLv 9y0nfj3UuTL9YP2iqbowzhgmnpb4mYmAEZX3c=; b=Xh5mIKN0lC3XKOCDHBUK6b /AP+yIqerlFGDGDwJ2J+6GiqWnyo5Kf6gDuGR/9mdKV4jKtQTu4dtvQogT5YlcjR nu38mm06iI0p5ukfw6N6t3QliyFIO8D5zW2wmnxTCJCk/Lq1TrnkbjLBadYf1Xfo 8R3Np/Fy9VLjI1MeappZ3Vrre7pcpw9UJETDsgHZrgVBa9P/E4v8mAqzZsBgJxfV CrUVsMQIsUfeFvJ3hwf82dtzYZ6oVW+RnPwKB9C66saWx1FrQcgZvYYJGzdQ2r6b McFvrocYRZw+EtTjqZeF89MMiPjL1+oglMM2iLSha6KGuC0X4NFHujHO5VN/o+TQ ==
X-ME-Sender: <xms:hs8DX5mMAH2n9Jn1aZN-JU3LYouOc86QxOio1CeOuwNwEs6kH1mCnQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudeggdegkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecuogfuuhhsphgvtghtffhomhgrihhnucdlgeelmdenuc fjughrpefhtgfgggfukfffvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcupfho thhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrthhtvghrnh epfeevgfffgeeghedtheeiteetveejteeiuedtudefffdvheevteevhfduhedvtdfgnecu ffhomhgrihhnpehgohhoghhlvgdrtghomhdpihgvthhfrdhorhhgpdhgihhthhhusgdrih hopdhmnhhothdrnhgvthenucfkphepudduledrudejrdduheekrddvhedunecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhoth drnhgvth
X-ME-Proxy: <xmx:hs8DX01vj0pNCl29XATyTXnKXumjsM7r0RiiGuQcihcr8SFOby39Xw> <xmx:hs8DX_rpbfXZKj4vbOpOFkcdZKaOnuMFhDtUXEtpHeUfmXF7Mn9Zbw> <xmx:hs8DX5mnXgOdGAUxzBjysGDBZfMP8buKaE4tTiUv_dgmsYMzVXpmWA> <xmx:h88DXw-tv5R8ZAYmMmJUphBLKLQvvVGqh80lAJhYCHeWza17O4xM0Q>
Received: from macbook-air.mnot.net (119-17-158-251.77119e.mel.static.aussiebb.net [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id F3CCC3280059; Mon, 6 Jul 2020 21:27:33 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Message-Id: <02F32297-2211-40CD-828A-952148398DED@mnot.net>
Date: Tue, 7 Jul 2020 11:27:28 +1000
Cc: http-grease@ietf.org
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Received-SPF: pass client-ip=64.147.123.24; envelope-from=mnot@mnot.net; helo=wout1-smtp.messagingengine.com
X-W3C-Hub-Spam-Status: No, score=-9.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jscOm-0007VC-8L d9a9c2a75718aebb5175bb89e1c724aa
X-Original-To: ietf-http-wg@w3.org
Subject: Ossification and HTTP - call for participation
Archived-At: <https://www.w3.org/mid/02F32297-2211-40CD-828A-952148398DED@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37844
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi folks,

There's been a background discussion about HTTP and ossification going on for a little while, as some vendors have encountered situations where they can't easily deploy new extensions.

To work through this, we're trying to engage with the Web Application Firewall (WAF) and similar communities to start a discussion around how we can mitigate the risks here while still allowing them to do what they're designed to do.

I've written  (with some help from others) a background document to attempt an explanation of the core issues in an 'open letter' style; see:
  https://docs.google.com/document/d/131eTq1eAdjUWGXV8JtF6o842rOod2l7K4NajwDdf-l0/edit?usp=sharing

That links to two Internet-Drafts of interest:
  - https://tools.ietf.org/html/draft-bishop-httpbis-grease
  - https://mnot.github.io/I-D/http-grease/

We've also created a mailing list for discussion of these issues, to try to get more engagement from the WAF community. See:
  https://www.ietf.org/mailman/listinfo/http-grease

If you're interested in these issues, please subscribe to that list. If you know any WAF vendors or related folks, please forward this to them; we'd love to bring them into the discussion.

Thanks,

--
Mark Nottingham   https://www.mnot.net/