Received: by ietfa.amsl.com (Postfix) id 2B589C14F6BB; Sat, 27 Jul 2024 16:17:50 -0700 (PDT) Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A9AFC14F6AA for ; Sat, 27 Jul 2024 16:17:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.86 X-Spam-Level: X-Spam-Status: No, score=-7.86 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="UZ7lrvGD"; dkim=pass (2048-bit key) header.d=w3.org header.b="YA0Wf2EA"; dkim=pass (2048-bit key) header.d=gmail.com header.b="IK8PwCLf" Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TD1Rr8s7TS39 for ; Sat, 27 Jul 2024 16:17:49 -0700 (PDT) Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64FB6C14F600 for ; Sat, 27 Jul 2024 16:17:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:In-Reply-To:From:References:Cc:To:MIME-Version:Date: Message-ID:Content-Type:Reply-To; bh=pybq0v/y+mm4GBko1DpNdVd5FTnVwASiF6exXqF6HM0=; b=UZ7lrvGDY6fGcyO6o+ieOPBDq+ z8iPrPhC33oi9Gfnu7+Y6NLaSzKUvi4Ez2qai1ALDCVjKmDlAaPtKlsQHtI8KOg9WOt84zu9hqvTD 2OoekeO7u3w/AgL7myLPR7vQIA3lcsLOZJaQnld+WlKxj7bEvavskQNmyD3MDryjl6ay05/lIKE5L LciEKwMafNgDrg+jpy/XALhgKKmWZDRSaJBxWKqIQcpOf+FdKZJo3o+ekv8HfN0159vZKAmpkFIZb /yNhwayoVyg5YIZIQPwcxeKqM1J90bFUElAb95d/tBiRId5Gh7yrkIe+G1Y85YGwe3aNlnNvbO4cj QP644KAw==; Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from ) id 1sXqeg-00C9xI-2v for ietf-http-wg-dist@listhub.w3.org; Sat, 27 Jul 2024 23:16:50 +0000 Resent-Date: Sat, 27 Jul 2024 23:16:50 +0000 Resent-Message-Id: Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1sXqee-00C9wL-0M for ietf-http-wg@listhub.w3.internal; Sat, 27 Jul 2024 23:16:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date: Message-ID:Content-Type:Reply-To; bh=pybq0v/y+mm4GBko1DpNdVd5FTnVwASiF6exXqF6HM0=; t=1722122208; x=1722986208; b=YA0Wf2EAnB1O8OC5oR4qq0li9bvKm/9bQl6TbB+H6Qbd+iY4YUea6ULLl7/A3gy+Pz+FMF1462M unKfprT9Q+xzZ/rQqZtZSKioLB1pa0/dTDTZTewpPzxyuWR/EFJXlx825UvyrZE2MMpucG9PhkH3P +mCaz3oN9/gOemolFDWFeT8bmHsyt/Roxa4JfJG4UTPm6fXMkybRhipjJkuMTag0ZOXoR/AgEgoE2 p0htSKIhDpfm5jDNegTH5BIgdJ6Ob5gCqX8SMqXrYPgjJzAPqMZV8JDW54dotzcBXlkg8g56HvfEF jdhXAirvDSc86AOdOfEeyS/D6Mz/R6PYs2TQ==; Received-SPF: pass (pan.w3.org: domain of gmail.com designates 2a00:1450:4864:20::132 as permitted sender) client-ip=2a00:1450:4864:20::132; envelope-from=fakedme+http@gmail.com; helo=mail-lf1-x132.google.com; Received: from mail-lf1-x132.google.com ([2a00:1450:4864:20::132]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1sXqed-00DjXo-1a for ietf-http-wg@w3.org; Sat, 27 Jul 2024 23:16:48 +0000 Received: by mail-lf1-x132.google.com with SMTP id 2adb3069b0e04-52ea2b6a9f5so2553654e87.0 for ; Sat, 27 Jul 2024 16:16:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722122203; x=1722727003; darn=w3.org; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:sender:from:to:cc:subject :date:message-id:reply-to; bh=pybq0v/y+mm4GBko1DpNdVd5FTnVwASiF6exXqF6HM0=; b=IK8PwCLfcKB6m14sJCg9d+tUrqvkpGIkGmDHpsQLOmbOMWjTzXJ/sIl1s00c80h8Xw DtglZGYm1fR9JiarEVrIt14J1bPejR00znVeFA3e9OUl0fbVDuAz3onqkFD0U2YXNVQD /c2uEYJ1D0cmCUBmgpmEzanKZY5f6x4VaY4ju+Xi+Xp316km5zoJBzghhFqrDdi5wh5s ihe3HGzGshNviL5veVJdYnEOp5LmcGjuwYKb+k9+OcD9G82UEXAxInRmytZVvI9LxuLt /sTWveWvIk0R8PBO6csP9KE2YtXVNDKTY5dcHlcJ+5ElV8cRHKH/cFL5uzXGymjvkqPK l67w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722122203; x=1722727003; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:sender:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=pybq0v/y+mm4GBko1DpNdVd5FTnVwASiF6exXqF6HM0=; b=UPoCQfLvaW5W/zpc3gXlPXV1ngOisvPmLf7MXU3hTk8pjgs1lKXNd9/mBrRJBDpp+n tWOePHazWmvH29bmcnqnofYZpbztsLAJgIQJHSp02BQm+5B0Qh8yhx+O5kYSEjz/nJ1n pV3pcaFwMm2tI2sSaDLwo4ITfQaYYBakglA5kB+/x1ZaZrfLyMYf9YmAdaIebMwL1Sr2 FLJ7xqrAmuAPUfM9Neu26JkyZW7dbkEPV/yNXQ4dcEXZEcVlZMdamJ/C7P7PBR9FTEKA TuFDzt2808cHpZ1I3wSwhOR/526iwEDpuX2X8QpPm+aBy0IXwHlQKEcP1Svy1A6s+J9o CMTw== X-Gm-Message-State: AOJu0YyaH+3OmXilRSNdk4CTnIIMGZV46E1dncuu9pfDwF0Vmc5pX9Km WrIw4UjSsOoMb1X9L9/5LXuKyMYx+J65lmUJ4c4TVzmatPzm/ICX X-Google-Smtp-Source: AGHT+IG6JXrbgBHZdsJBXf1hrrrX+9VEwWGLEXArink5v2SG2bKY5Q8W2f6VhVl6y8uso1gPJs1xjA== X-Received: by 2002:ac2:5a09:0:b0:52c:e054:4149 with SMTP id 2adb3069b0e04-5309b26b678mr2240175e87.15.1722122202710; Sat, 27 Jul 2024 16:16:42 -0700 (PDT) Received: from ?IPV6:2804:431:cfcd:a11c::536f:6e69? ([2804:431:cfcd:a11c::536f:6e69]) by smtp.googlemail.com with ESMTPSA id 2adb3069b0e04-52fd5bc3ea3sm882940e87.26.2024.07.27.16.16.40 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 27 Jul 2024 16:16:42 -0700 (PDT) Sender: "Soni L." Content-Type: multipart/alternative; boundary="------------cczuuCzGy6nRS6ntSeGS6Kwz" Message-ID: <2c1bfd64-ff88-4f74-a172-3b4e7f039740@gmail.com> Date: Sat, 27 Jul 2024 20:16:37 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Josh Cohen Cc: ietf-http-wg@w3.org References: Content-Language: en-US From: "Soni L." In-Reply-To: X-W3C-Hub-DKIM-Status: validation passed: (address=fakedme+http@gmail.com domain=gmail.com), signature is good X-W3C-Hub-Spam-Status: No, score=-3.1 X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1 X-W3C-Scan-Sig: pan.w3.org 1sXqed-00DjXo-1a 48aeccf06a9c8806705ee3dce15da4f2 X-Original-To: ietf-http-wg@w3.org Subject: Re: Method Mania Archived-At: Resent-From: ietf-http-wg@w3.org X-Mailing-List: archive/latest/52159 X-Loop: ietf-http-wg@w3.org Resent-Sender: ietf-http-wg-request@w3.org Precedence: list List-Id: List-Help: List-Post: List-Unsubscribe: This is a multi-part message in MIME format. --------------cczuuCzGy6nRS6ntSeGS6Kwz Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Indeed.  We believe an IPv6 EH would be a valid solution here, sent at connection time.  A middlebox is proxying the HTTP stream around but it usually intercepts the TLS/TCP streams, so it would inherently drop the relevant methods.  Due to the state of EH support in deployed networks, clients should probably send an EH requesting the methods and also do Happy Eyeballs without the EH.  Then, if you want the new methods on your enterprise network, your only option is to fix your EH support. Win-win? On 2024-07-27 18:40, Josh Cohen wrote: > I was using "safe" in the narrow scope of methods. Patrick's point may > still apply if middle boxes only support pre-defined methods. > > To avoid mixing connection semantics, a subscribe request (regardless > of http method), could return subscription information that includes > how the client receives notifications. > For example, it could return a websocket address that the client > connects to in order to receive a stream of updates. In the case of > HTTP/3, a server-client stream could be set up. > This is how the SUBSCRIBE method in gena/UPNP work.  It just sets up > the subscription and notification paths, but doesn't handle the > notifications themselves. > > If the GET (or any preexisting) method is used, perhaps a content type > could be listed in the Accept header such as > application/subscription+json.  If the server receives that, it could > respond with a braid defines JSON message that contains the relevant > notification stream. > > > > On Sat, Jul 27, 2024 at 8:04 AM Soni L. > wrote: > > > > On 2024-07-27 11:44, Patrick Meenan wrote: >> >> >> On Sat, Jul 27, 2024 at 4:23 AM Julian Reschke >> wrote: >> >> On 26.07.2024 00:27, Josh Cohen wrote: >> > On the httpwg agenda at IETF 120 were a proposal for a new >> QUERY method >> > and Braid, which has subscription functionality that >> overloads the GET >> > method. >> > >> > What I am curious about is if, at this point in the >> evolution of the >> > web, it is now safe to add new methods for new >> functionality. I've been >> > reading up on HTTP/2/3 and it seems that nowadays, >> connections are >> > end-to-end secure and are essentially tunneled through >> middle boxes, >> > including HTTP/1.1 proxies. I'm still just wrapping my head >> around >> > MASQUE, but it looks like it can handle arbitrary methods.  >> Similarly >> > origin servers have evolved to support arbitrary methods. >> >> It always has been "safe", when https was used. >> >> >> https is not "safe" in practical terms because of middleboxes >> that intercept the connections. It is very common in enterprise >> deployments where they install local trust anchors on the client >> devices and use mitm software to inspect the traffic. >> >> Even HTTP/2 is not necessarily "safe" as we are seeing with the >> deployment of compression dictionaries as there are enterprise >> mitm devices that inspect HTTP/2 traffic as well (and in our >> case, reset connections when they see a content-encoding they >> don't understand). >> >> The better question is under what circumstances do we want to >> allow those devices to "break" and force them to fix the >> implementations? HTTP/S (or just H/2/3 if you want to be less >> intrusive) could be considered reasonable because the proxies are >> under the control of the site (CDN) or environment where they are >> being run (enterprise) and there's not random gear spread >> elsewhere in the Internet that needs to be tracked down.  The >> site-level is generally easy (don't use the new features on a >> given site if the serving path doesn't support it) but cleaning >> up the enterprise ecosystem can be a nightmare and a much bigger >> case of whack-a-mole. >> >> The alternative (that Chrome uses for HTTP/3) is to only use the >> new feature when the connection is TLS-anchored to a well-known >> trust root (no middleboxes on the client end) but that is >> allowing some portion of the Internet to continue to operate >> "broken" infrastructure. > Maybe use an IPv6 EH for non-well-known trust roots to claim > support? :) > > (only half-joking, but it might help improve EH support.) > > > > -- > > --- > *Josh Co*hen > --------------cczuuCzGy6nRS6ntSeGS6Kwz Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit Indeed.  We believe an IPv6 EH would be a valid solution here, sent at connection time.  A middlebox is proxying the HTTP stream around but it usually intercepts the TLS/TCP streams, so it would inherently drop the relevant methods.  Due to the state of EH support in deployed networks, clients should probably send an EH requesting the methods and also do Happy Eyeballs without the EH.  Then, if you want the new methods on your enterprise network, your only option is to fix your EH support. Win-win?

On 2024-07-27 18:40, Josh Cohen wrote:
I was using "safe" in the narrow scope of methods.  Patrick's point may still apply if middle boxes only support pre-defined methods.

To avoid mixing connection semantics, a subscribe request (regardless of http method), could return subscription information that includes how the client receives notifications.
For example, it could return a websocket address that the client connects to in order to receive a stream of updates. In the case of HTTP/3, a server-client stream could be set up.
This is how the SUBSCRIBE method in gena/UPNP work.  It just sets up the subscription and notification paths, but doesn't handle the notifications themselves.

If the GET (or any preexisting) method is used, perhaps a content type could be listed in the Accept header such as application/subscription+json.  If the server receives that, it could respond with a braid defines JSON message that contains the relevant notification stream.



On Sat, Jul 27, 2024 at 8:04 AM Soni L. <fakedme+http@gmail.com> wrote:


On 2024-07-27 11:44, Patrick Meenan wrote:


On Sat, Jul 27, 2024 at 4:23 AM Julian Reschke <julian.reschke@gmx.de> wrote:
On 26.07.2024 00:27, Josh Cohen wrote:
> On the httpwg agenda at IETF 120 were a proposal for a new QUERY method
> and Braid, which has subscription functionality that overloads the GET
> method.
>
> What I am curious about is if, at this point in the evolution of the
> web, it is now safe to add new methods for new functionality. I've been
> reading up on HTTP/2/3 and it seems that nowadays, connections are
> end-to-end secure and are essentially tunneled through middle boxes,
> including HTTP/1.1 proxies. I'm still just wrapping my head around
> MASQUE, but it looks like it can handle arbitrary methods.  Similarly
> origin servers have evolved to support arbitrary methods.

It always has been "safe", when https was used.

https is not "safe" in practical terms because of middleboxes that intercept the connections. It is very common in enterprise deployments where they install local trust anchors on the client devices and use mitm software to inspect the traffic.

Even HTTP/2 is not necessarily "safe" as we are seeing with the deployment of compression dictionaries as there are enterprise mitm devices that inspect HTTP/2 traffic as well (and in our case, reset connections when they see a content-encoding they don't understand).

The better question is under what circumstances do we want to allow those devices to "break" and force them to fix the implementations? HTTP/S (or just H/2/3 if you want to be less intrusive) could be considered reasonable because the proxies are under the control of the site (CDN) or environment where they are being run (enterprise) and there's not random gear spread elsewhere in the Internet that needs to be tracked down.  The site-level is generally easy (don't use the new features on a given site if the serving path doesn't support it) but cleaning up the enterprise ecosystem can be a nightmare and a much bigger case of whack-a-mole.

The alternative (that Chrome uses for HTTP/3) is to only use the new feature when the connection is TLS-anchored to a well-known trust root (no middleboxes on the client end) but that is allowing some portion of the Internet to continue to operate "broken" infrastructure.
Maybe use an IPv6 EH for non-well-known trust roots to claim support? :)

(only half-joking, but it might help improve EH support.)


--

---
Josh Cohen 


--------------cczuuCzGy6nRS6ntSeGS6Kwz--