IETF Logo Mail Archive

Re: Upgrade status for impl draft 1

Ted Hardie <ted.ietf@gmail.com> Wed, 27 February 2013 21:22 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B40621F859A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 27 Feb 2013 13:22:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.666
X-Spam-Level:
X-Spam-Status: No, score=-8.666 tagged_above=-999 required=5 tests=[AWL=1.933, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxy+rbLP-1kN for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 27 Feb 2013 13:21:59 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 224BC21F8546 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 27 Feb 2013 13:21:58 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UAoRF-0004wb-0d for ietf-http-wg-dist@listhub.w3.org; Wed, 27 Feb 2013 21:21:21 +0000
Resent-Date: Wed, 27 Feb 2013 21:21:21 +0000
Resent-Message-Id: <E1UAoRF-0004wb-0d@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <ted.ietf@gmail.com>) id 1UAoR5-0004vr-Iv for ietf-http-wg@listhub.w3.org; Wed, 27 Feb 2013 21:21:11 +0000
Received: from mail-ie0-f172.google.com ([209.85.223.172]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <ted.ietf@gmail.com>) id 1UAoR4-0007CE-Tq for ietf-http-wg@w3.org; Wed, 27 Feb 2013 21:21:11 +0000
Received: by mail-ie0-f172.google.com with SMTP id c10so1214426ieb.3 for <ietf-http-wg@w3.org>; Wed, 27 Feb 2013 13:20:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=y1DMqHhwJayfFZvHyNRPIz/Ek2oiPhsguB9e4MfUUow=; b=BxdUkaOq5eWOaqwmFQHGRea0x+38WA4o5eigwzD9CA90B4pB64y81Tfot8gUHP8wkC 5pH/T6aizLbtuFS7eKJom6HU6tjN2EzBBagpDihNOWvoR417/bsOqonj5boCk9bnDB1T jB51U2bjDFwk98IanEjvH+2EyhVeFoyLiWR9+IRG6wP2yx/j/2Bix1RXJ9Iw5Ul9W8yQ FP9R/u+WV0oWId5whZOOPl43urzDGlGsCzOktRnvelXa/ziPBdmS6jXuIb5aeAriDcj+ 5JY7SV//6mrxdsTT1qNLICeVUqiurBriI7p/WxDaO8qxdwimYjY4H10hgjSb7s6aGMgJ MH2w==
MIME-Version: 1.0
X-Received: by 10.50.36.169 with SMTP id r9mr8208907igj.96.1362000045124; Wed, 27 Feb 2013 13:20:45 -0800 (PST)
Received: by 10.43.135.202 with HTTP; Wed, 27 Feb 2013 13:20:44 -0800 (PST)
In-Reply-To: <512DA753.4040402@cisco.com>
References: <B0FC9D1E-08EF-4275-9851-C8F33F24FF00@mnot.net> <CAA4WUYgGD2XWRH0xXYJOR7zY16hf2w+d4XTVk8_rx+DV5iG3Ug@mail.gmail.com> <512DA753.4040402@cisco.com>
Date: Wed, 27 Feb 2013 13:20:44 -0800
Message-ID: <CA+9kkMDYyWcOpHH+ngG4pQNhGu50ZafeBhBofTZiobj4nvCz3A@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: "\"William Chan (陈智昌)\"" <willchan@chromium.org>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=209.85.223.172; envelope-from=ted.ietf@gmail.com; helo=mail-ie0-f172.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.710, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UAoR4-0007CE-Tq a79324cf720b1ccdb51b5f084309308e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Upgrade status for impl draft 1
Archived-At: <http://www.w3.org/mid/CA+9kkMDYyWcOpHH+ngG4pQNhGu50ZafeBhBofTZiobj4nvCz3A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/16903
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Feb 26, 2013 at 10:27 PM, Eliot Lear <lear@cisco.com> wrote:
>
> On 2/27/13 4:43 AM, William Chan (陈智昌) wrote:
>
>
> QQ over here. Is this assuming only unencrypted HTTP/2? I believe Patrick
> was hoping to bootstrap serving http:// URLs via HTTP/2 over SSL, using the
> external discovery mechanism (DNS most likely). If so, I'm unclear on
> whether or not we need to describe behavior WRT TLS-NPNesque negotiation.
> Perhaps we should fork the thread for this...
>
>
> This *is* possible, but with a big caveat: DNS should offer alternatives
> that have the same security level –– UNLESS DNSSEC is in play.  Otherwise
> there's a downgrade attack in the making.
>
> Eliot


Hi Eliot,

While I agree with you, the difficulty is that linking that sort of
policy statement
(DNS alternatives presented should have equivalent security levels) is not
something that is easy to find an enforcement point for inside the
DNS.  In some HTTP use cases
you may will have no integrated DNS clients (e.g. mobile apps) and in
lots of them
you will have no DNSSEC validation routines.  So doing it in the DNS
client code may be
equally problematic.

Can we express this instead as "clients should reject candidates found
via external discovery
if the candidates are not protected by TLS"?  That eliminates the
downgrade but makes
the HTTP client the enforcement point rather than the DNS.  DNSSEC
remains useful and a good
addition, but it is no longer critical path.

Just two cents,

Ted

v2.23.0 | Report a Bug | By Email