Re: Benjamin Kaduk's Yes on draft-ietf-httpbis-http2-tls13-02: (with COMMENT)
David Benjamin <davidben@chromium.org> Thu, 17 October 2019 19:36 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 7B9D0120A2E
for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>;
Thu, 17 Oct 2019 12:36:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Level:
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001,
MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Ui_Vz65-G8XU
for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>;
Thu, 17 Oct 2019 12:35:55 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org
[IPv6:2603:400a:ffff:804:801e:34:0:38])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 2989312095D
for <httpbisa-archive-bis2Juki@lists.ietf.org>;
Thu, 17 Oct 2019 12:35:55 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89)
(envelope-from <ietf-http-wg-request@listhub.w3.org>)
id 1iLBWg-0001Bd-Gk
for ietf-http-wg-dist@listhub.w3.org; Thu, 17 Oct 2019 19:33:34 +0000
Resent-Date: Thu, 17 Oct 2019 19:33:34 +0000
Resent-Message-Id: <E1iLBWg-0001Bd-Gk@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c])
by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.89) (envelope-from <davidben@google.com>) id 1iLBWe-0001An-Ot
for ietf-http-wg@listhub.w3.org; Thu, 17 Oct 2019 19:33:32 +0000
Received: from mail-pg1-x533.google.com ([2607:f8b0:4864:20::533])
by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.92) (envelope-from <davidben@google.com>) id 1iLBWc-0003yZ-VG
for ietf-http-wg@w3.org; Thu, 17 Oct 2019 19:33:32 +0000
Received: by mail-pg1-x533.google.com with SMTP id t3so1916859pga.8
for <ietf-http-wg@w3.org>; Thu, 17 Oct 2019 12:33:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=YjDp9Rku1eevz3zLbhFV+jXocCKSwdlgwLwvrbigG60=;
b=fWhD6+07JUVTsGzvlLiw6iXcyRasZL+ifKQcmMagX7eaRtyfBIVDEEz5l4oCYvkAgD
rIevrSy0lHNezMnR0xVWSAkqcH3zC/j9oqOw8iCY+C6bOw0NhG/KWK074xy1UsGSQMYz
cKSRwoIzqlevUE86f2Ty6nwN7SqjLXiNxt6xw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=YjDp9Rku1eevz3zLbhFV+jXocCKSwdlgwLwvrbigG60=;
b=NzudE/upXsnbjV2mcLC6Zmn6QFJMtY80GFR8alDnLKOsLHOX74PcBLa87Hs8b/DRE8
g3NlkmZvELm5IgtqZYQXIlpulrez3mBtm6b0KyXG7oFx9BQPfYXU6+Yi/bk0U0szT9mU
N357vur/dx+rKzKm5pqgbWCan3Dme1LKcJAZ/lMBpFYRO7eVeEoDvIeBgE8R+QUFYblf
VyzUEWSMkIOEL3HWkRUIRY6Ty9tvjbo0rany1/r584VEYjrkFXD+vcih1qE+9WRsuJre
DF7lylVIfd74Fexv+xmCmE2pboI1uHK+B+ugONLkj8POGegAwD7/1hcEgBZ16IYB6FRS
AdBQ==
X-Gm-Message-State: APjAAAXAOB01v7jo/ZcHqWtgD+qYBS84mT4YeCuP/lkNn78C+7QUDtTp
+4Urwy8W4QcKVx6WPQswVxLITAFGSf01tcOYArvT
X-Google-Smtp-Source: APXvYqyjxRIDpD5I/8fcgXXCelI5A6e7oA7/00IA7wBQTOe5QqF0zBVK/t8TN6R4En5prIh3wW0DlxrvkwBK48eN2u4=
X-Received: by 2002:a17:90a:cf98:: with SMTP id
i24mr6101162pju.99.1571340808716;
Thu, 17 Oct 2019 12:33:28 -0700 (PDT)
MIME-Version: 1.0
References: <157126123457.7868.4033205003897585278.idtracker@ietfa.amsl.com>
In-Reply-To: <157126123457.7868.4033205003897585278.idtracker@ietfa.amsl.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 17 Oct 2019 15:33:12 -0400
Message-ID: <CAF8qwaC-iyh3bhbU5__GGsQzwoYMuiXxhLoEMBCS6WicCzdCAQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-http2-tls13@ietf.org,
Mark Nottingham <mnot@mnot.net>, httpbis-chairs@ietf.org,
HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000b9ff760595204a33"
Received-SPF: pass client-ip=2607:f8b0:4864:20::533;
envelope-from=davidben@google.com; helo=mail-pg1-x533.google.com
X-W3C-Hub-Spam-Status: No, score=-11.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1iLBWc-0003yZ-VG b297760305d4dbb9be65927fbeda59ed
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Benjamin Kaduk's Yes on draft-ietf-httpbis-http2-tls13-02: (with
COMMENT)
Archived-At: <https://www.w3.org/mid/CAF8qwaC-iyh3bhbU5__GGsQzwoYMuiXxhLoEMBCS6WicCzdCAQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37062
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Wed, Oct 16, 2019 at 5:27 PM Benjamin Kaduk via Datatracker < noreply@ietf.org>; wrote: > Benjamin Kaduk has entered the following ballot position for > draft-ietf-httpbis-http2-tls13-02: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2-tls13/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for this; I just have some minor nit-level comments; no response > necessary. > > Abstract > > This document updates HTTP/2 to prohibit TLS 1.3 post-handshake > authentication, as an analog to existing TLS 1.2 renegotiation > restriction. > > nit: either "restrictions" or "the existing". > Done in https://github.com/httpwg/http-extensions/pull/955. (I'll merge to the repository and publish a -03 shortly.) > Section 1 > > TLS 1.3 [RFC8446] updates TLS 1.2 to remove renegotiation in favor of > separate post-handshake authentication and key update mechanisms. > The former shares the same problems with multiplexed protocols, but > the prohibition in HTTP/2 only applies to TLS 1.2 renegotiation. > > nit: I'd suggest referring to a specific RFC rather than "HTTP/2" -- > this document will in some sense become part of "HTTP/2" upon > publication :) > Done. > Section 3 > > HTTP/2 servers MUST NOT send post-handshake TLS 1.3 > CertificateRequest messages. HTTP/2 clients MUST treat TLS 1.3 post- > handshake authentication as a connection error (see Section 5.4.1 of > [RFC7540]) of type PROTOCOL_ERROR. > > nit: is it the authentication or the request thereof that is the > connection error? > Reworded to say the message is the authentication error. > Section 4 > > Unless the use of a new type of TLS message depends on an interaction > with the application layer protocol, that TLS message can be sent > after the handshake completes. > > I don't see anything better to say than this, but ... will > draft-ietf-tls-exported-authenticator be considered to "depend on an > interaction with the application layer protocol"? > (Also, nit: hyphenate "application-layer".) > (Hyphenation fixed.) draft-ietf-tls-exported-authenticator doesn't define a post-handshake TLS message, so it hopefully shouldn't apply?
- Re: Benjamin Kaduk's Yes on draft-ietf-httpbis-... David Benjamin