Ossification and HTTP - call for participation
Mark Nottingham <mnot@mnot.net> Tue, 07 July 2020 01:31 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id A3DF73A084B
for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 6 Jul 2020 18:31:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.749
X-Spam-Level:
X-Spam-Status: No, score=-2.749 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001,
RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=mnot.net header.b=RQmQWmLs; dkim=pass (2048-bit key)
header.d=messagingengine.com header.b=Xh5mIKN0
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id W1jNHp4RnkQ3
for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>;
Mon, 6 Jul 2020 18:31:18 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id E0AB83A084A
for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 6 Jul 2020 18:31:17 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92)
(envelope-from <ietf-http-wg-request@listhub.w3.org>)
id 1jscOq-0006A0-8T
for ietf-http-wg-dist@listhub.w3.org; Tue, 07 Jul 2020 01:27:56 +0000
Resent-Date: Tue, 07 Jul 2020 01:27:56 +0000
Resent-Message-Id: <E1jscOq-0006A0-8T@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79])
by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.92)
(envelope-from <mnot@mnot.net>)
id 1jscOo-00069A-5H
for ietf-http-wg@listhub.w3.org; Tue, 07 Jul 2020 01:27:54 +0000
Received: from wout1-smtp.messagingengine.com ([64.147.123.24])
by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.92)
(envelope-from <mnot@mnot.net>)
id 1jscOm-0007VC-8L
for ietf-http-wg@w3.org; Tue, 07 Jul 2020 01:27:54 +0000
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
by mailout.west.internal (Postfix) with ESMTP id 4DB06632;
Mon, 6 Jul 2020 21:27:36 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
by compute4.internal (MEProxy); Mon, 06 Jul 2020 21:27:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=from
:content-type:content-transfer-encoding:mime-version:subject
:message-id:date:cc:to; s=fm3; bh=TwvDLv9y0nfj3UuTL9YP2iqbowzhgm
npb4mYmAEZX3c=; b=RQmQWmLsjZjVe021+9PDJ4AuKwEvCuwL+s21yYCVU8+qjR
tljPUMye+/KaumRn31XAJhR1xf9+qvTHCY6SgkN/P4vDXRe+Fysmihs2wNfnLTjS
YWn04YT7ntxU9Qrm67TfIemQnm6RSHXwvqArTSaE0nFCMDIF7//i4vtFLFU/BopG
RmVl/G8JbwoXsqW9kccPIsE7jCCTqVneA1facP9v+ws4Pp6+NbI1FRdi4Xspugwg
kniDGnWsjlOlBlsXW36XT09JsCEXTDjuEJDsoXsF4nwBtaDAmZ+fbnq94PHo5fBv
fGK81XJHnMNwq3bUvWDVhScK4ygesl/GM/zhc4qQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:content-transfer-encoding:content-type
:date:from:message-id:mime-version:subject:to:x-me-proxy
:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=TwvDLv
9y0nfj3UuTL9YP2iqbowzhgmnpb4mYmAEZX3c=; b=Xh5mIKN0lC3XKOCDHBUK6b
/AP+yIqerlFGDGDwJ2J+6GiqWnyo5Kf6gDuGR/9mdKV4jKtQTu4dtvQogT5YlcjR
nu38mm06iI0p5ukfw6N6t3QliyFIO8D5zW2wmnxTCJCk/Lq1TrnkbjLBadYf1Xfo
8R3Np/Fy9VLjI1MeappZ3Vrre7pcpw9UJETDsgHZrgVBa9P/E4v8mAqzZsBgJxfV
CrUVsMQIsUfeFvJ3hwf82dtzYZ6oVW+RnPwKB9C66saWx1FrQcgZvYYJGzdQ2r6b
McFvrocYRZw+EtTjqZeF89MMiPjL1+oglMM2iLSha6KGuC0X4NFHujHO5VN/o+TQ
==
X-ME-Sender: <xms:hs8DX5mMAH2n9Jn1aZN-JU3LYouOc86QxOio1CeOuwNwEs6kH1mCnQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudeggdegkecutefuodetggdotefrodftvf
curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
uegrihhlohhuthemuceftddtnecuogfuuhhsphgvtghtffhomhgrihhnucdlgeelmdenuc
fjughrpefhtgfgggfukfffvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcupfho
thhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrthhtvghrnh
epfeevgfffgeeghedtheeiteetveejteeiuedtudefffdvheevteevhfduhedvtdfgnecu
ffhomhgrihhnpehgohhoghhlvgdrtghomhdpihgvthhfrdhorhhgpdhgihhthhhusgdrih
hopdhmnhhothdrnhgvthenucfkphepudduledrudejrdduheekrddvhedunecuvehluhhs
thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhoth
drnhgvth
X-ME-Proxy: <xmx:hs8DX01vj0pNCl29XATyTXnKXumjsM7r0RiiGuQcihcr8SFOby39Xw>
<xmx:hs8DX_rpbfXZKj4vbOpOFkcdZKaOnuMFhDtUXEtpHeUfmXF7Mn9Zbw>
<xmx:hs8DX5mnXgOdGAUxzBjysGDBZfMP8buKaE4tTiUv_dgmsYMzVXpmWA>
<xmx:h88DXw-tv5R8ZAYmMmJUphBLKLQvvVGqh80lAJhYCHeWza17O4xM0Q>
Received: from macbook-air.mnot.net (119-17-158-251.77119e.mel.static.aussiebb.net [119.17.158.251])
by mail.messagingengine.com (Postfix) with ESMTPA id F3CCC3280059;
Mon, 6 Jul 2020 21:27:33 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Message-Id: <02F32297-2211-40CD-828A-952148398DED@mnot.net>
Date: Tue, 7 Jul 2020 11:27:28 +1000
Cc: http-grease@ietf.org
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Received-SPF: pass client-ip=64.147.123.24; envelope-from=mnot@mnot.net; helo=wout1-smtp.messagingengine.com
X-W3C-Hub-Spam-Status: No, score=-9.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jscOm-0007VC-8L d9a9c2a75718aebb5175bb89e1c724aa
X-Original-To: ietf-http-wg@w3.org
Subject: Ossification and HTTP - call for participation
Archived-At: <https://www.w3.org/mid/02F32297-2211-40CD-828A-952148398DED@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37844
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi folks, There's been a background discussion about HTTP and ossification going on for a little while, as some vendors have encountered situations where they can't easily deploy new extensions. To work through this, we're trying to engage with the Web Application Firewall (WAF) and similar communities to start a discussion around how we can mitigate the risks here while still allowing them to do what they're designed to do. I've written (with some help from others) a background document to attempt an explanation of the core issues in an 'open letter' style; see: https://docs.google.com/document/d/131eTq1eAdjUWGXV8JtF6o842rOod2l7K4NajwDdf-l0/edit?usp=sharing That links to two Internet-Drafts of interest: - https://tools.ietf.org/html/draft-bishop-httpbis-grease - https://mnot.github.io/I-D/http-grease/ We've also created a mailing list for discussion of these issues, to try to get more engagement from the WAF community. See: https://www.ietf.org/mailman/listinfo/http-grease If you're interested in these issues, please subscribe to that list. If you know any WAF vendors or related folks, please forward this to them; we'd love to bring them into the discussion. Thanks, -- Mark Nottingham https://www.mnot.net/
- Ossification and HTTP - call for participation Mark Nottingham
- Re: Ossification and HTTP - call for participation Yoav Weiss