Re: Method Mania
Patrick Meenan <patmeenan@gmail.com> Thu, 01 August 2024 01:41 UTC
Received: by ietfa.amsl.com (Postfix) id 6B183C15108A; Wed, 31 Jul 2024 18:41:53 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A4E8C151082 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 31 Jul 2024 18:41:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.855
X-Spam-Level:
X-Spam-Status: No, score=-2.855 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="VWEtLvnk"; dkim=pass (2048-bit key) header.d=w3.org header.b="T4dPOrT4"; dkim=pass (2048-bit key) header.d=gmail.com header.b="ZTGKm6ld"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ZhYaFU-OnGT for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 31 Jul 2024 18:41:49 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54DDCC14CE24 for <httpbisa-archive-bis2Juki@ietf.org>; Wed, 31 Jul 2024 18:41:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=fAtEhHPG5hsW7MmzZs/0oDn+Py8FgY4CcIlXYfb/zuY=; b=VWEtLvnk3Vxu5n+5hhq0K6hmGc IiQYNpRQnHF3Acdeb6jWSBst/shwoPbKnGdYdUhXmYAsUlGiZxQQbBCDsYSLGECNUGuVH6ms7eqQV qux+9qDwxwjfnahDP1ub+Iztwd6ls2f5e8ZQeu97R8uYNEPcZ9vet4W9+nFRzVLrNIiN5WfOGEdsT k6nBft8CtHXm58ybEz2Dkg9j3OcvY2XV4aVhNZpMnXZMIH6RNPwoSUOUr3k7LNJbXXz/EDSqaoNlI gXp1r0W1hk8gn/3HBHcDb5qPpmPJayTstax3EwSLGvm3OmYc4NHnbSO57tEhmjbicwEtRAkyAjcJI LL/eUVow==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sZKoS-006rGd-0u for ietf-http-wg-dist@listhub.w3.org; Thu, 01 Aug 2024 01:41:04 +0000
Resent-Date: Thu, 01 Aug 2024 01:41:04 +0000
Resent-Message-Id: <E1sZKoS-006rGd-0u@mab.w3.org>
Received: from ip-10-0-0-224.ec2.internal ([10.0.0.224] helo=puck.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <patmeenan@gmail.com>) id 1sZKoP-006rFb-2y for ietf-http-wg@listhub.w3.internal; Thu, 01 Aug 2024 01:41:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=fAtEhHPG5hsW7MmzZs/0oDn+Py8FgY4CcIlXYfb/zuY=; t=1722476461; x=1723340461; b=T4dPOrT4fCO04QZW+liPq8+lU7bXALEhg+yXuIcnDeXc9MjezBs1sp8VLulx68MBjrcwFUxGcFT SFqYL4CuuQ6K9cCWs3uvAcQarVrGEGP+LrigSv7Pm6CP8hFYW/Zg6N5lCEPfnXe1B6MG/9OH3ppTN 1nKyitmz5pjzKbYvjgwtxVL0dxEVw45Rhp1rhvdC0aG4MDhu92pt7tBFr1aEW3YXkwwsgRUk5dtve lD8Qu6UUV+ZfUJFgwDpD8w9kX/3zg6M1CG25s/Z8JAjjlQ1VIYdPTussexZVGQwG7cSPocD+pay6h 2rhyGce/un/tP1JnF6CZCfcyYuL9kM7B0lfA==;
Received-SPF: pass (puck.w3.org: domain of gmail.com designates 2a00:1450:4864:20::533 as permitted sender) client-ip=2a00:1450:4864:20::533; envelope-from=patmeenan@gmail.com; helo=mail-ed1-x533.google.com;
Received: from mail-ed1-x533.google.com ([2a00:1450:4864:20::533]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <patmeenan@gmail.com>) id 1sZKoP-006jrG-0D for ietf-http-wg@w3.org; Thu, 01 Aug 2024 01:41:01 +0000
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-5a79df5af51so2910858a12.0 for <ietf-http-wg@w3.org>; Wed, 31 Jul 2024 18:41:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722476457; x=1723081257; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fAtEhHPG5hsW7MmzZs/0oDn+Py8FgY4CcIlXYfb/zuY=; b=ZTGKm6ld9MPonArtg6isDDgu9x4SOXJxC24P8QQv0XsIBChSNpIuH56RiUQbfZ5ht5 uaWil/tytqOAyPiWsfQtDtAAdPaCfCzNrPJgo+dM1Jms5vTqO7+WO9hd/7jjbhGcJRDx snVGqIsXdgLCrsw2kx8czgixAyIX4iMSchSFSb09P0sWz4AXOzL1jlzqaeeKeg3j9HZn xsQ1Z4TKiCJVElVWofv3jSUAVsKexC+REBjRv/u7dvqmtJWpQwGfjikpAPvUL6kFvTiQ 8ELLuP3Xi6LCoU8vBr7BBUm/shvlZJyzDYvbyZWnpt3qf6MGVGVxeZvteqia3akPINvm CQrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722476457; x=1723081257; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fAtEhHPG5hsW7MmzZs/0oDn+Py8FgY4CcIlXYfb/zuY=; b=fgUQScyy8ES4gyJrU/smHlTmGZrBkKuGohAaoJUDqoG48gO8qG+aFvht/Tu1e2kbGg bYc9/ovFNOH5emN2lpBMMATwo7vhgk3exjYOVP6VD2B7EI1lVXeoFDq4WnH4kMjLyn8G aakIU2l5cSDrihMEIcBJRGa2si0dEi5dmi+pjRpiBysTyCT7rLXR4Kons1bdkoLQJzm8 4ekxeCl7GfosXw6BzNl7Gx36GQpQDxiIYx7tvw+G8tafSGTjNe4MZk09+7BnDpxVCsMW dPJCldJpLBUgh7cLhxkYnOFhynZWDLvbRJ0wfN1au8oCTj8zP5wvhq68alpL9b7JtIxL V1Qg==
X-Forwarded-Encrypted: i=1; AJvYcCW5GxtiwuZxLleGYAP/5S+GeksxZcxm8KgqvckQAHhb0nY3NX4T5a9epUgHj2659PfOHMtkCICq4poZ0YEpBXZGkNM2
X-Gm-Message-State: AOJu0YyCPGH9YA+a1e2D430UvUOu2RuGfSGKHowbXcf+6vSPGCmYeaD9 pPt0B+Sz4xT3+CKsQB4cLiZQxDCEeXBfJRRGiorKOk7//WdyjFZnnJunEWT//25A4GP6bIZvYA4 IHNrWgowGbOIDE/i6PRTlR3Dwt3EhvbhV
X-Google-Smtp-Source: AGHT+IEZRXBQ3odD+UVgrKS9rZBqEnumhnGE3EJ9awmIayWwRSw545ebcxO/BugxL1jtNj/ac3P4DmNWbz59XD/lSZw=
X-Received: by 2002:a17:907:7ba8:b0:a72:7b17:5d68 with SMTP id a640c23a62f3a-a7daec4fb14mr72624166b.3.1722476456627; Wed, 31 Jul 2024 18:40:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAF3KT4QZzx+FXOUHZoy+gPqJjQ+4KdOC+_29vbUANNtZQS4c+A@mail.gmail.com> <ba56fad8-e121-4c06-9a2d-783ef82471e0@gmx.de> <CAJV+MGz8hUTqar51V9wV=WPnWETDK+ECjWCTXYS92xXM5HEF_w@mail.gmail.com> <cd25a358-1e8a-43b7-ba61-3d16ad28b1e4@gmx.de> <CAF3KT4Q=ezzA2aCHyPg=k583n6vP4gTGP+wxKz+sQezD=GnowQ@mail.gmail.com> <CAJV+MGxH4wPK__Z4mGfD3j-KaHpSVjQBFLyM1u+ZwfaSsZGMRQ@mail.gmail.com> <247701dae3b2$a1ea1f50$e5be5df0$@gmail.com>
In-Reply-To: <247701dae3b2$a1ea1f50$e5be5df0$@gmail.com>
From: Patrick Meenan <patmeenan@gmail.com>
Date: Wed, 31 Jul 2024 21:40:45 -0400
Message-ID: <CAJV+MGwZmeAhxK9ooOXJr_jdkqN-Mk_oLS8pWAsdTSCwToaAdg@mail.gmail.com>
To: joshco@gmail.com
Cc: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org
Content-Type: multipart/alternative; boundary="00000000000054d4f0061e954d70"
X-W3C-Hub-DKIM-Status: validation passed: (address=patmeenan@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-8.1
X-W3C-Hub-Spam-Report: AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: puck.w3.org 1sZKoP-006jrG-0D 7ffca42258115f64e6d186fd686b1d78
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Method Mania
Archived-At: <https://www.w3.org/mid/CAJV+MGwZmeAhxK9ooOXJr_jdkqN-Mk_oLS8pWAsdTSCwToaAdg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52171
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Breakage up and down the stack from interception on-device (AV software) or MITM devices. I haven't rolled out new methods but, generally, the software makes assumptions and tends to break when those assumptions break. We've seen it with content-encodings a few times. We saw it when software was expecting headers and post body to all be sent in one socket write. The TLS example is similar to the write problem where the interceptor doesn't buffer the stream and expects the full client hello in a single read. In all cases it was mishandling of well-spec'd protocols but the interceptors took shortcuts and broke. On Wed, Jul 31, 2024 at 9:32 PM <joshco@gmail.com> wrote: > Patrick, > > When you say, “We have seen it more often than I care to admit…”, > > are you referring to failures due to HTTP methods, new frame types, or > something else? > > > > With respect to TLS failures, are those actual TLS related failures or are > they symptoms of the above problem? > > > > > > *From:* Patrick Meenan <patmeenan@gmail.com> > *Sent:* Sunday, July 28, 2024 9:35 AM > *To:* Josh Cohen <joshco@gmail.com> > *Cc:* Julian Reschke <julian.reschke@gmx.de>; ietf-http-wg@w3.org > *Subject:* Re: Method Mania > > > > Sorry, I didn't mean to imply not to go forward or to necessarily find a > way to thread the needle but to explicitly plan for there to be > middle-boxes that break and to be deliberate about how to handle that case, > even for HTTPS. > > > > Failing loudly, in obvious and testable ways is WAY better than failing > silently or in random ways. It makes it much easier for IT teams and > software vendors to identify the root cause and test fixes. It can also be > good to force failures broadly rather than pick just a subset of the > population for it to work on (like requiring IPv6 features). There will be > some middleboxes with issues but there will be a lot more that don't have > issues and it would artificially limit the reach of the feature if you > disable it for all middlebox cases. > > > > I expect that new frame types for HTTP/2 and HTTP/3 would be more > compatible than new methods just because devices are already parsing the > existing headers and streams for content and would be more likely to error > out when seeing a method they don't understand (but, odds are, new frames > will have some number of devices that fail as well). > > > > We have seen it more often than I care to admit, with the rollouts for > HTTP/2, brotli, post-quantum TLS and now with compression dictionaries > (which, you'd think the brotli rollout would have prepared devices for > handling content-encoding negotiation in a compatible way, but nope). > > > > The devices tend to fail the connections in painful ways, like closing the > whole connection when it sees payload content it doesn't like (wiping out a > bunch of multiplexed requests on a HTTP/2 connection for example). > > > > Here is the site we're currently sending IT admins to when they get > reports of TLS failures with the post-quantum rollout (mostly because of > broken middleboxes): https://tldr.fail/ > > > > I'd encourage the team to continue without trying to get too fancy, just > expect there will be some ecosystem cleanup needed when it is rolled out > and to plan for it. > > > > On Sun, Jul 28, 2024 at 1:33 AM Josh Cohen <joshco@gmail.com> wrote: > > Same here.. Patrick also said: > > "The better question is under what circumstances do we want to allow > those devices to "break" and force them to fix the implementations?" > > > > Maybe a reasonable interpretation of Patrick's statement is that it's time > to be *bold. *HTTP/1.1 RFC2616 was published in 1999. It's the 25 year > anniversary. 🥳 In the intervening years, the IETF has done a great job > evolving the transport. That's created the foundation for things we > couldn't do back then. I don't think it was a coincidence that Lisa > Dusseault was in the room. The universe is speaking to us. Maybe it's > time for a WebDAV re-spin.. The web could also have standardized pub/sub. > > > > If we add new functionality that users and devs want, and makes admin life > easier, that could be helpful in driving better implementations, and uptake > of HTTP/2/3 and masque proxying. > > > > > > > > > > > > On Sat, Jul 27, 2024 at 10:07 PM Julian Reschke <julian.reschke@gmx.de> > wrote: > > On 27.07.2024 16:44, Patrick Meenan wrote: > > > > > > On Sat, Jul 27, 2024 at 4:23 AM Julian Reschke <julian.reschke@gmx.de > > <mailto:julian.reschke@gmx.de>> wrote: > > > > On 26.07.2024 00:27, Josh Cohen wrote: > > > On the httpwg agenda at IETF 120 were a proposal for a new QUERY > > method > > > and Braid, which has subscription functionality that overloads > > the GET > > > method. > > > > > > What I am curious about is if, at this point in the evolution of > the > > > web, it is now safe to add new methods for new functionality. > > I've been > > > reading up on HTTP/2/3 and it seems that nowadays, connections are > > > end-to-end secure and are essentially tunneled through middle > boxes, > > > including HTTP/1.1 proxies. I'm still just wrapping my head around > > > MASQUE, but it looks like it can handle arbitrary methods. > Similarly > > > origin servers have evolved to support arbitrary methods. > > > > It always has been "safe", when https was used. > > > > > > https is not "safe" in practical terms because of middleboxes that > > intercept the connections. It is very common in enterprise deployments > > where they install local trust anchors on the client devices and use > > mitm software to inspect the traffic. > > ... > > I meant "safe" wrt deploying new HTTP methods. > > When was the last time you encountered a problem? > > Best regards, Julian > > > > > > > -- > > --- > *Josh Co*hen > >
- Method Mania Josh Cohen
- Re: Method Mania Julian Reschke
- Re: Method Mania Josh Cohen
- Re: Method Mania Soni L.
- Re: Method Mania Patrick Meenan
- Re: Method Mania Josh Cohen
- Re: Method Mania Soni L.
- Re: Method Mania Julian Reschke
- Re: Method Mania Josh Cohen
- Re: Method Mania Patrick Meenan
- Re: Method Mania Rahul Gupta
- Re: Method Mania Watson Ladd
- RE: Method Mania joshco
- Re: Method Mania Patrick Meenan
- Re: Method Mania Josh Cohen
- Re: Method Mania Julian Reschke
- Re: Method Mania Josh Cohen
- Re: Method Mania Josh Cohen
- Re: Method Mania Matthew Kerwin
- Re: Method Mania Josh Cohen
- Re: Method Mania Julian Reschke
- Re: Method Mania Josh Cohen
- Re: Method Mania Daniel Veditz