Re: Reminder: Call for Proposals - HTTP/2.0 and HTTP Authentication
Nicolas Mailhot <nicolas.mailhot@laposte.net> Fri, 27 April 2012 10:46 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5814521F87B1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 27 Apr 2012 03:46:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.912
X-Spam-Level:
X-Spam-Status: No, score=-7.912 tagged_above=-999 required=5 tests=[AWL=-0.620, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, RCVD_NUMERIC_HELO=2.067, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gvZRmguu-pFw for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 27 Apr 2012 03:46:48 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 013D721F879E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 27 Apr 2012 03:46:47 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1SNig9-00019r-Gh for ietf-http-wg-dist@listhub.w3.org; Fri, 27 Apr 2012 10:45:33 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <gix-ietf-http-wg@m.gmane.org>) id 1SNifw-0000sX-Oi for ietf-http-wg@listhub.w3.org; Fri, 27 Apr 2012 10:45:20 +0000
Received: from plane.gmane.org ([80.91.229.3]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <gix-ietf-http-wg@m.gmane.org>) id 1SNifo-0003GQ-G2 for ietf-http-wg@w3.org; Fri, 27 Apr 2012 10:45:18 +0000
Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <gix-ietf-http-wg@m.gmane.org>) id 1SNifP-0001OH-29 for ietf-http-wg@w3.org; Fri, 27 Apr 2012 12:44:47 +0200
Received: from 163.116.6.10 ([163.116.6.10]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-http-wg@w3.org>; Fri, 27 Apr 2012 12:44:46 +0200
Received: from nicolas.mailhot by 163.116.6.10 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-http-wg@w3.org>; Fri, 27 Apr 2012 12:44:46 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: ietf-http-wg@w3.org
From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Fri, 27 Apr 2012 10:44:38 +0000
Lines: 85
Message-ID: <loom.20120427T121106-627@post.gmane.org>
References: <14A09626-8397-4656-A042-FEFDDD017C9F@mnot.net> <loom.20120427T104110-359@post.gmane.org> <20120427092908.GA20042@1wt.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: sea.gmane.org
User-Agent: Loom/3.14 (http://gmane.org/)
X-Loom-IP: 163.116.6.10 (Mozilla/5.0 (Windows NT 6.0; rv:12.0) Gecko/20100101 Firefox/12.0)
Received-SPF: pass client-ip=80.91.229.3; envelope-from=gix-ietf-http-wg@m.gmane.org; helo=plane.gmane.org
X-W3C-Hub-Spam-Status: No, score=-0.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_NUMERIC_HELO=1.164, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01
X-W3C-Scan-Sig: maggie.w3.org 1SNifo-0003GQ-G2 184c260d3f8789c1b813580bc901e52a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Reminder: Call for Proposals - HTTP/2.0 and HTTP Authentication
Archived-At: <http://www.w3.org/mid/loom.20120427T121106-627@post.gmane.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/13490
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1SNig9-00019r-Gh@frink.w3.org>
Resent-Date: Fri, 27 Apr 2012 10:45:33 +0000
Willy Tarreau <w <at> 1wt.eu> writes: Hi Willy > On Fri, Apr 27, 2012 at 09:16:00AM +0000, Nicolas Mailhot wrote: > > Would it be possible to publish a list of specific questions and have each > > proposal submitter answer how its proposal answers each of them? > > I'm not sure this will help make great progress in the short term (only 1.5 > month is left for proposals, and working on them takes a *lot* of time). Maybe, but in the long term, this kind of question will need answering anyway, so it's dangerous to postpone them IMHO. That adds the risk of painful later reworks if something is missed in the initial phases. > > 1. Can the proposal permit secure http/2.0 communication without letting > > malware punch random protocols through firewalls using the http/2.0 secure > > port? > You'll never ever be able to guarantee this. Right but there is a difference between allowing some leaking, and being so lax one can push full vpn/remote desktops through the https port. If one of the proposals improve this situation that would be a definite plus. > > 2. How can intermediary network nodes request (re-)authentication on secure > > networks when client credentials expire? > > Unless I miss your point, that's what the 401 is about, no ? The point is proxy/gateway auth as before. Especially for proposals that push for full TLS encryption, when it is the most broken case right now. Right now most browsers propose opening an http connection to a specific URL to trigger portal auth. That's broken by design (http and https are different namespaces, and different URIs may be subjected to different filtering) and instead of fixing this some of the proposals make the situation worse as far as I can tell. > > 3. How can they communicate authentication location to the client > > 4. How could other intermediary messaging be handled? > > I'm not sure I get these points. Again, how can proxies and gateways communicate with the web client. Or to put it otherwise: is the proposal compatible with Enterprise network security or does it require changes elsewhere that may or may not happen while Enterprise users get cut from the new http/2 web? For example if a proposal requires a new proxy protocol to be proxified the proxy protocol changes should be submitted alongside it, not in some hypothetical future. > > 5. Is the proposed protocol feature-complete or does it require an http/1.1 > > downgrade to handle some existing http use-cases (esp. proxy ones)? > > It needs to be able to completely replace it otherwise it will mean much > more work for many implementers, leading to many more bugs and interop > issues. I agree but I'm sure some answers to 2. will be 'open an url to http://youre-on-the-internet.com/ in http 1.1'. And there may be other cases I'm not aware of. > > 8. Does it add specific logging constrains that didn't exist in http/1.1? > Logging is out of the scope of HTTP in my opinion If you add multiplexing, logging (and log processing) needs reworking. How much depends on how the proposed multiplexing works. Implementers (both server, intermediary and client side) need to be informed of the new elements that need logging now > > 9. How will the proposal improve network efficiency? > At least by reducing message sizes, packet counts and connection counts. This is the only question reasonably answered in the proposals though not two proposals address it the same way Regards, -- Nicolas Mailhot
- Reminder: Call for Proposals - HTTP/2.0 and HTTP … Mark Nottingham
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… James M Snell
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Mark Nottingham
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… James M Snell
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Willy Tarreau
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Mark Nottingham
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Willy Tarreau
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… James M Snell
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Peter Lepeska
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… William Chan (陈智昌)
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Peter Lepeska
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… William Chan (陈智昌)
- Re: Reminder: Call for Proposals - HTTP Authentic… Mark Nottingham
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP Authentic… Mark Nottingham
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- RE: Reminder: Call for Proposals - HTTP Authentic… Markus.Isomaki
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Peter Lepeska
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… William Chan (陈智昌)
- Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Yoav Nir
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Fabian Keil
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Albert Lunde
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Benjamin Carlyle
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Werner Baumann
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Yoav Nir
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Yoav Nir
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy