Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

Erik Nygren <erik@nygren.org> Thu, 06 October 2016 01:16 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C33212944C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 5 Oct 2016 18:16:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.416
X-Spam-Level:
X-Spam-Status: No, score=-9.416 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JYwfnohI-FHu for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 5 Oct 2016 18:16:40 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 040FF129404 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 5 Oct 2016 18:16:39 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1brxEl-0008Ms-Sa for ietf-http-wg-dist@listhub.w3.org; Thu, 06 Oct 2016 01:12:39 +0000
Resent-Date: Thu, 06 Oct 2016 01:12:39 +0000
Resent-Message-Id: <E1brxEl-0008Ms-Sa@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <nygren@gmail.com>) id 1brxEh-0008M6-7O for ietf-http-wg@listhub.w3.org; Thu, 06 Oct 2016 01:12:35 +0000
Received: from mail-it0-f49.google.com ([209.85.214.49]) by lisa.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <nygren@gmail.com>) id 1brxEe-0005fj-E7 for ietf-http-wg@w3.org; Thu, 06 Oct 2016 01:12:33 +0000
Received: by mail-it0-f49.google.com with SMTP id 188so127226671iti.1 for <ietf-http-wg@w3.org>; Wed, 05 Oct 2016 18:12:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=31JUqMuFLqSJOMXpcuLXHbRlfByxIhkJQOJM8rCJVzw=; b=CmUg7f4yuArEIqBewQY6oc2+P8R2IianBYnXpDvig/k5sgdtY4v3od4ysklz6C5HYv RrOxz/YIf9WK4FOotuVNGgS9tPJEKviy7GVexAagB5XvwzzRSX1P9m7WaCna2ptme+57 9Rx+RFwbXP3rnP0/9/8IKope26RCSGF4NnQ7gjnn74YLOqGwk01CHvZZo5rD6CNsmc4d nLw0+EWVdYb0xFNt4H2Dv19rOkKz6rYW2zlwGdOjXIW1TMsAuKsGCxBrH+lmEyKZZ8fm WSItX3WT8h/6+idszcaDxH9a4KsB2Ia5WEX1myr5k5nHRTdRsgJCsdKeK62eNLW7GsKB tg0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=31JUqMuFLqSJOMXpcuLXHbRlfByxIhkJQOJM8rCJVzw=; b=IPe6BQGXn0o6BxUPe6wrSFcoXhRPDQfY4Xm8l1pwrgkyj8Nkn7hAV06WgGu1HxbmeL TC/z1XERDyTl3cpRhh/8tRcUnQagywBWQVmNA0uFInPf14ZLlFqq6sTHTug3lrlPASEN YpyROxWPeWrMP/X20LuYQ36a75K+wU18dPLTp3y7xSmM4N+qDzKSf1qU336J5cnWM3BK AEvdze4BuQTr2zNK9kQEmT9uqRHq7JPW4S22xyMvTzkQFbLvOW0TgPP1LUc6jYpyauTX 1zDJ2R1hTzS30ith8q4QYl3HVJ0FE5BtnV+7nGvk5j7EG+5uiwB5yPqlswZFYgLxjQLI oaBw==
X-Gm-Message-State: AA6/9RkFWFHcWYBx3ioJtNTuhXouiupN/KcQzPw4TbStJxPS7y9S38gf+BuHNmBFzuhnaqq9Vuyy2kzBQjQSPQ==
X-Received: by 10.107.198.72 with SMTP id w69mr12140845iof.121.1475716325908; Wed, 05 Oct 2016 18:12:05 -0700 (PDT)
MIME-Version: 1.0
Sender: nygren@gmail.com
Received: by 10.107.14.144 with HTTP; Wed, 5 Oct 2016 18:12:05 -0700 (PDT)
In-Reply-To: <CABkgnnVJ7VRBH4VeGODkSUXdW9XHs8AjB_M0mm8Kt=nv3djvEg@mail.gmail.com>
References: <20161004160321.DFB4C111E5@welho-filter1.welho.com> <BN6PR03MB27082C2CF4DC3F8F82354FDE87C50@BN6PR03MB2708.namprd03.prod.outlook.com> <201610050451.u954pomK003643@shell.siilo.fmi.fi> <CAOdDvNpRN_trGi23BpqUxmaLoLvom9+Yiew0GkNkhgwvqw4Bew@mail.gmail.com> <CABkgnnVKeqnyqhgL=jx1WqtcByqHes25XDJ684J+rNwvQt+znQ@mail.gmail.com> <201610051336.u95DaAW2020152@shell.siilo.fmi.fi> <CABkgnnVaBVE8mUxuGXYe-WeM_OkiNHcA=egnb1-nOxtdujShfw@mail.gmail.com> <201610051616.u95GGWcI031833@shell.siilo.fmi.fi> <BN6PR03MB2708B42C6964AA22AF8FFDC487C40@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnVJ7VRBH4VeGODkSUXdW9XHs8AjB_M0mm8Kt=nv3djvEg@mail.gmail.com>
From: Erik Nygren <erik@nygren.org>
Date: Wed, 5 Oct 2016 21:12:05 -0400
X-Google-Sender-Auth: Q3PXSfuUlSCXz-vesvQNQfuq2Wg
Message-ID: <CAKC-DJgoxq8RL88Od3g-67E7bL0GbY6ZjyE1sdi4EqwFSeGQnQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Patrick McManus <mcmanus@ducksong.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary=94eb2c0353da652aa8053e27fb78
Received-SPF: pass client-ip=209.85.214.49; envelope-from=nygren@gmail.com; helo=mail-it0-f49.google.com
X-W3C-Hub-Spam-Status: No, score=-5.0
X-W3C-Hub-Spam-Report: AWL=-0.935, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1brxEe-0005fj-E7 1baa53ab9e3b1e29ec9348edbe531ba6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Archived-At: <http://www.w3.org/mid/CAKC-DJgoxq8RL88Od3g-67E7bL0GbY6ZjyE1sdi4EqwFSeGQnQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32498
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Can we just solve this with the ORIGIN frame?
In particular, define that clients must not request with http scheme
unless an ORIGIN frame has advertised it?
What gets presented in the ORIGIN frame looks remarkably close to what
Martin listed
above as the bare-minimum version of the .wk resource that we've
effectively boiled things down to:

  [ "https://example.com", "http://other.example.com" ]
>

The primary down-side that I see is that this doesn't provide a way
to specify allowing both http and https but just not mixed over the same
connection.
(I guess we could have a flag on the ORIGIN frame for ALLOW_MIXED_SCHEME,
although this could be tricky if clients send before getting the frame.)

Pros of ORIGIN frame:
* Can be server-sends-first (unlike .wk)
* Might be possible to define that if hostname=origin and if both
https://hostname and http://hostname is sent as ORIGIN frames that both can
use the same connection even without AltSvc?  (This could potentially help
protect sites with mixed-scheme resources without needing to have anything
sent cleartext.)

Cons of ORIGIN frame:
* Requires server/protocol side changes beyond putting a file in-place
(which may be just fine)

         Erik



On Wed, Oct 5, 2016 at 8:35 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> I'll try, but it might be ELI15...
>
> On 6 October 2016 at 04:28, Mike Bishop <Michael.Bishop@microsoft.com>
> wrote:
> > Basically, we've simplified this greatly, and I like that.  But we've
> simplified it so much that I'm no longer clear what problem we have left to
> solve. Can someone ELI5?
>
> A client learns that a server has a "secure" alternative.  This
> implies that clients can send "not-secure" requests to a "secure"
> server.
>
> The client wants to know that this alternative understands what it
> means when it sends a "not-secure" request to that server.  This is
> because some "secure" servers can be confused by a "not-secure"
> request. They might think that it is "secure" and do the wrong thing.
>
> We need to find a way to ask the "secure" server if it is OK with
> getting "not-secure" requests.
>
>