Re: [Int-area] New version of WPADNG
Ben Schwartz <bemasc@meta.com> Fri, 19 July 2024 18:47 UTC
Received: by ietfa.amsl.com (Postfix) id 1971BC14F6EE; Fri, 19 Jul 2024 11:47:43 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17AA8C14F6E4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 19 Jul 2024 11:47:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.255
X-Spam-Level:
X-Spam-Status: No, score=-2.255 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_NOVOWEL=0.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="EPmnW1LL"; dkim=pass (2048-bit key) header.d=w3.org header.b="FgrgoxUS"; dkim=pass (2048-bit key) header.d=meta.com header.b="G+oy2Kgo"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WjmJzYBNjP3K for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 19 Jul 2024 11:47:38 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52637C14F617 for <httpbisa-archive-bis2Juki@ietf.org>; Fri, 19 Jul 2024 11:47:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:MIME-Version:Content-Type:In-Reply-To:References:Message-ID: Date:CC:To:From:Reply-To; bh=4esm7m6sfkueno2qYKUoyKrIIwWnh3a1R1gNdlsBTs4=; b= EPmnW1LLkByMZt5EE6Q1IrkFqRiFMn6PSMvTlT83FgoLFY5IFprMPym0SNJ+FmrbG6a8obkfx8rC9 xE47Cuqi8txL2GdBib/Bmztpf5BjQ73ANmiyaOtpiRTsweLxIx0HoOsSYOEoJI0oFiE3Dq/8MFslM t8/nlxD99Vir8+xWX3lCqzmTn4tAnIp57iZxpGpzRW5GHoA0VcNMTPXEb9ZyPYYfzknpeidFRBRxm TpqnKQkxZfnlXIa0CxoQefosZevqrhwWg12h9lNLLXQzAyDedLcYAIIvSN8zFRNwsFtuehBzvibMV Efj3rK3Lrh27Mf9QL0g8ZzKO9DmxCILojw==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sUscm-00BRCH-0y for ietf-http-wg-dist@listhub.w3.org; Fri, 19 Jul 2024 18:46:36 +0000
Resent-Date: Fri, 19 Jul 2024 18:46:36 +0000
Resent-Message-Id: <E1sUscm-00BRCH-0y@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <prvs=29302ad992=bemasc@meta.com>) id 1sUsci-00BRBL-2L for ietf-http-wg@listhub.w3.internal; Fri, 19 Jul 2024 18:46:32 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=MIME-Version:Content-Type:In-Reply-To:References:Message-ID:Date: Subject:CC:To:From:Reply-To; bh=4esm7m6sfkueno2qYKUoyKrIIwWnh3a1R1gNdlsBTs4=; t=1721414792; x=1722278792; b=FgrgoxUSOfNdE0FNytlklMMGD1gXpGgviueZsM/pt0zuDiN RU4UXktgX15z6mYPN6ern85dDqXsCqyEs9pjLIQ/fT3k0zeErcpNopQcf5cnfK1x5LE7BqM/bNOqT QMMPk+pg+jYGhiwo2AQ1G8NJYfv5L++sGVSMFLhFeVFPfjky/DWrlDljUBiBVmyhX67s7tF5rSteG 5tC9xQ5QI8MUysn+eg7R32RZoLxAxKeYqIQ2xrxy3Fw80DI2i7X+LCPFaPnQf+q3UWJoa2DFOMqVP Pbwj/zxrp9BgwthdnCkf9p3gaq/DdTZKB6nJimytWo0VnOa/9ppalPUlzJiu70mQ==;
Received-SPF: pass (pan.w3.org: domain of meta.com designates 67.231.153.30 as permitted sender) client-ip=67.231.153.30; envelope-from=prvs=29302ad992=bemasc@meta.com; helo=mx0a-00082601.pphosted.com;
Received: from mx0b-00082601.pphosted.com ([67.231.153.30] helo=mx0a-00082601.pphosted.com) by pan.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <prvs=29302ad992=bemasc@meta.com>) id 1sUsch-00AZiC-2j for ietf-http-wg@w3.org; Fri, 19 Jul 2024 18:46:32 +0000
Received: from pps.filterd (m0089730.ppops.net [127.0.0.1]) by m0089730.ppops.net (8.18.1.2/8.18.1.2) with ESMTP id 46JHlDc9031280; Fri, 19 Jul 2024 11:46:26 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from :to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=s2048-2021-q4; bh=4esm7m6sfkueno2q YKUoyKrIIwWnh3a1R1gNdlsBTs4=; b=G+oy2Kgo765PhqKPVOfGp+EA0N48Sc7D ICubEBbnKgVZTMh6ctW0QLTXHxGzU2cBVUmRFrRfu52mxDMA6rZKQWemqZJAddqw RjFqglDGsJDIpsZ6gKXsrDmxDfT5pMDybM2IttJ+XLQOCYLwD7LQm52a5ghcVPgY JnqRGZp+14jHJYu7rw/wGXQplH4OVbnib1tl9/OVRn6iGh20eQ3nr/IQ9TDdbXS1 OPgbKdIZxmLSa8dTJ541ygayali/pe7p2MPs59a+RW+KTeiwkfAJn2byxzGiJtGz e7Wbv513U9gJkq9AHnDTp0cFtyG9WRm70r10CSbmHjKCEY8ZHqQLHg==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2048.outbound.protection.outlook.com [104.47.70.48]) by m0089730.ppops.net (PPS) with ESMTPS id 40f1p0arvv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 Jul 2024 11:46:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=IJ81HWj3SRYn3tlP8byFOjxFkyHSE/Nyn/Q72XBNLy1NpzUrAx2v34pX1zCPrMoHKNptcnOAvcpj0aWysESRmVT1grmfPMh1NiWEwlKF4Hdz0fHBibCP1uB2t3eqgq+3ODwUiRmT1RZHTb7mXZUZqfjTBk7TaL9RE2sT8oZdLQbmhkqJnVvg47PsoWaZrpdYmyJZF6p3Blm6B/U3SteyM6ykf2OlZmfv6qoaT0J9uD6F31MPIJ5FQ6lxpxzApOsaflj1vz6n6TOh0FMueO3YIMTgtFCmn5ACI+8tp71NtwgJmLq18DVjwfQCA54Gx8+vIenHMDc2o1CvnlXbCuka2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=X9ZyMQSeef0XxuHNxXfcUAfhiz2cJ51P6JqR3j4Spzg=; b=J3kUiEtq93PZeXZN4mP18FR0/A6hwcytNPoktSH0yOqgyywJ+29YtSFTkuF8eYPuF0ON4fVhRQWBveL1ZEOcdfbFarg0nA4dT4lJfWflW6SD4P+dr7MLD11mFtm8ak0Twf8waaP596cMxbz4DUD3lS+CupMPPwSLqXACoV/w4mVw7dUBT6ivay4NjxH3MnZBqPjA1pMNhGwZYeYyfldmCH1xUOiB13HxVzJmqMhbBt0d8KpAlkes28iYx+nukoS91D7Yh8umHjHdjVwA/Jp7O+xcrfQh2AwjSyUpZEoYixzIBFhjKmhxSQBXG82/ZLLhkNhXcdNk9r3b20xvUCuvaw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by PH7PR15MB6476.namprd15.prod.outlook.com (2603:10b6:510:2ff::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.29; Fri, 19 Jul 2024 18:46:09 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb%7]) with mapi id 15.20.7784.016; Fri, 19 Jul 2024 18:46:09 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Josh Cohen <joshco@gmail.com>, Watson Ladd <watsonbladd@gmail.com>
CC: David Schinazi <dschinazi.ietf@gmail.com>, "int-area@ietf.org" <int-area@ietf.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: [Int-area] New version of WPADNG
Thread-Index: AQHa0Zg2JDYzjQEQdUKPk4eTrPLs07Hu8iMAgAypYACAAAlrgIAALlkAgAAG3ICAAK+wgIAANIaAgAGzHoE=
Date: Fri, 19 Jul 2024 18:46:09 +0000
Message-ID: <SA1PR15MB43704CB9F682B9F152EA958EB3AD2@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <CAF3KT4QFxgNK=kLw_jZ06B85-3sUXqHmHQK03i-jWOZS-jCszw@mail.gmail.com> <CAPDSy+6ranR-120OMGzOGELLA=r2BxJdqLFmTXWqCA6-wm2uoQ@mail.gmail.com> <CAF3KT4SmCpBFZ-3VtnkaSBTSzRpBwOnBqsrft3RxVbq7MU09+Q@mail.gmail.com> <CACsn0cknrPEeacAkRv7LhywS6bWkYc+bEzfS8kMKLcJzY1Z55w@mail.gmail.com> <CAF3KT4Se2=TxChwcthnbAOnvOfd_ji7mUHCS4aS_UwJcTFgaLQ@mail.gmail.com> <CACsn0ckn1fgZ605hpnzpgsRopQqGZ7g0cwuSsfQSjC0jguRG6g@mail.gmail.com> <CAF3KT4QYM+y+43LU3DNxX4S5LOGYe0SoLBZRhjOTVrM7X_RUdQ@mail.gmail.com> <CAF3KT4SYE28=_aHJNUsSRDyawMk_w2rq9z8B3mErqMv_tHsaVw@mail.gmail.com>
In-Reply-To: <CAF3KT4SYE28=_aHJNUsSRDyawMk_w2rq9z8B3mErqMv_tHsaVw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|PH7PR15MB6476:EE_
x-ms-office365-filtering-correlation-id: 40e97fda-e640-4f15-c4a0-08dca8230e66
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: uM7Ha87Ah2LnQzENZIY5SYfWwvyd+qziFgXFGlMHXDPdKuA9T8TGtS+r4pI3MxYIB6DaYLUfKsT6VzPpMis7/OJ+DuiFk0v5ZjZcbAMey5B1kv3KE2GayZwc8r2zeIzampNxNlajghGhfc6Vm4Wt5ITbg1sqe3+GAsgBSHK/oTiJ1UsUxmJBi1M6wR5F2bfL+UwEp5lh1aNCtyT/giPh88o4DLjS7SuyorlIWCpDvbOxrmUIxBT6IA7Hpbuko5eTuxU8Ooi9/tMYW67Vu+XcFlFv8/S0iE+aBAfmbn9NbEuUicN+DA8rvNcJfB6hu2HNE82ZVj7vWS48gc66yWTpn9DzZGVwnzyFfb6KlHxgszHVXVx7PTOUEOiHu8e8jvxP0t3yCMbJJx3l8aDG8w/XzuKc2M5yXiF8iCBSOCFQIVbM1a9DRmi46YJhFSD1U/plugj6H6VEKGKCIi5mSxDBmuWCJuluz365aTsgzBab2/zr1J97iCkfym7auH5A+6gOHZYxDnT+xpPT7p1jxjT8pz/egJ9laEXBd+02SLFdhpcMav82GWwYlwyGtd+8KGtKSUuRWDYWlzYv6mqHSa87Rp1AqkP8oFJ4KclNUlQZgxhrz9WL0wRPW1Sgrpme9ixd+QCnempN2ZYhBtIL9tl9+kzT3wWP+UsPFYlZKw48vWJ9CdSiocQOzfxRW1r7KEmciGpR+aWZr4hI0sh0+3YumPLFvh0qR1Fh+GUGtaEFXi+uS0iKqCpWjINvoPBAoV1MWZddbuwck3P9/V5fxV5RGaSYi9yKQrT5jTPlNLGfRXQXHT/Rptpmur3i5zp0Ah11WF+rLEHpdTK7QGgBZxMlsMuFybcaPLOBeG5yOQUF7RMLVt1hTEvlehf5qXFxU5X1xEFR98ysMOGbbFBsjfrjogdnsr65yXd+0o+ZumqmhhDQcuUXGyyds3ilKoYlx6no/65pmrGrrtIIcxkn1DaWV3RU+LeFCpxfErEnUmxFq87/sJvgRYeKHMfD2LWke3QqUtyt+7boJHT9YD0IjrE1dKm5FD657/M7Yk3N+b2zUJ8UUKobQFL0mujiTGJ8gWAxFSMS+bt+F7S6WhkRkaLxqWGfTYHxRJZOFzsxOWpZ6jow8/+JqdUg+GCpx1/r7blAq7JQU52cCPulcPlwTfDVp2s3MV/79XVcCDCMeDMImc4msJJ8/movxBYNMWMZwlSRsGx0W5k6NxneZSiSRnwCCZ3ad2ip1Z9oMc3w8vulX6WME7NcdWt4Ow2HAXhCECUgs9X75EgP7xfgHcPCKWm0TRUcogqlfIEKf5Ju5tue1GDtIB3+rcm49KTTTsAEtg7JKXFU5Ja6PGH6FIrq8x+i3zfDfgtnHapYtKcYSFvheoM=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: rwE2sm3C/czWhyOoPSAmUkIjJfOx0IVMwB4lejATQLTzTB+hT7aBJLTrTVTzPQjXtLclYKMPfWSrt9JAEZh9xck/YKj+xmi2pujkpWP8NPY9Mk9YY5nS8N4o8huf51HXNyORypvygcUIZvAv7gmTj0F6ylVdUjeNpfChAlRUbNRHat4HKuyARC2ZqemainYZJY6D4+o5DoF53DqRVBfy2FXJRAssENXnY/qrVFvqVTzPr8fl+e63hHd9SJkQNMnL/wSBzhCA4rgAn5SUlDjUqbS33SKTE9N0WyQx1evX1Hd6ExAhbC0VuiC6fsf5njT7kwfqeot4MkH4EoayyTcNq4tj2kCwsOi+ib5RzQihJIz1AXOSA0vHP5IMBbBRIjsLZjNIHWyzi1ZQNRt4G2qs0iBXfGLipOTpalGtRDWWLLossqQ5kOzdNc9fakyZqRJYn9dfJmVkMZ+EaHjD7ksWiRo62szdMsMHwia4TxfCtNOOQAI9fWmRdTOsXRWXR+4qLhgO9kJ1GHsDK/91VeoyRkYF4jXBcgDhnPax/QXgQnmFuBbD0Fr/gGXz5dsTQXBKF12QUhpMFW8pdc3iI37XDqJuaEzfvR5aKUt57lkysweiGselaGkliGC1TL/3hY6oO/Nr9zFsTZYVJhCI8WRtd0Z/DBGcelnJ/zy0As5gH5Rl7CGfCv7lmQvS4gGF4ySa9mLTK2P4+ThMH9n7zYEv5Iq/XCwbZ3uVIQg9YI7v8RT36fH0CoNVrCup6uIE5rmBClTxdvIj+6+eRFP16BKxrW6fl/fNESr5m9fl6nyYjbjWvaRJUML7wSYzjSvdFi+snS1uWf80n1/avv1e8HKFAe9/J53e+mRcemE+5QjzKNw1xNFY93hbOxF3uBHwIw5EGH//bV4kMoEedJ2lbcxUYu5KXULYKpXjzsQk7HfaP60WpIgaYONtUYIRwehQTtMAKcmTBGkGJHAt/eatjhMci55DUXvnt8sbssIByvUzSWn36KtZvauNNDMwx45xTdEkZ5Q5a3fvC7IqftphIeR2WINmeTm7jql8Qjqg6LlxLldDlqdut/pAXtFom4606637ihWV5ArxOMPlHNEeL5u5VXBgMUNgakiep8Qdo08Oh/nwhPvowWceFuTflt0B3aTG26r5g1MCZHrvcI/oVomyxAgfcsBcqDjlOoPsbe0vTS0EjjC3hBYA9kGanp5vkV86kJ68Yc4tn/MRf0q4tzmDCFaHxk05pGP6vODMwYe4OjWXHJlsTaGzTj/hr8V/+naRwHAbVuZxUR+1dee56VQxA/kWyDWC4Rws2dDz++0sx0TJrcx40leTAK2nloCcCUayy07Xbwic+kS6pIQJ1UfaHLuWXbAZwrrdEoEeyGGk1tDzOL5dJUijTJ9UE92IR39SoXKFI70M7WBbNlTJt+1PVEVf5g+rAh+/IgqgKoP39BYZz5nJfgNbbhu6pmiUYDnRnAObOTlp272Ixre9i/4h69jQMWTVRPGEFDUIjVzHW6uL9tIEg7qjp0VAZgvOvBH9MxSKL2frnTTXxN4pLSrbKRCXyW7tGuJsNQCAn1/LTJQ=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB43704CB9F682B9F152EA958EB3AD2SA1PR15MB4370namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 40e97fda-e640-4f15-c4a0-08dca8230e66
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jul 2024 18:46:09.8600 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rVioh3m5yrj5IF1X1ZNSVSNOzUkSvVmvbfHCzXj4u938KHvaYWQ9/4f76tA5wiyg
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR15MB6476
X-Proofpoint-ORIG-GUID: BcsNMo0kGmkmnatrzzDYKo7uJNgg6JoO
X-Proofpoint-GUID: BcsNMo0kGmkmnatrzzDYKo7uJNgg6JoO
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-19_06,2024-07-18_01,2024-05-17_01
X-W3C-Hub-DKIM-Status: validation passed: (address=prvs=29302ad992=bemasc@meta.com domain=meta.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URI_NOVOWEL=0.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1sUsch-00AZiC-2j 0b598f549b53f8e9f9ae39ff19f1434e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Int-area] New version of WPADNG
Archived-At: <https://www.w3.org/mid/SA1PR15MB43704CB9F682B9F152EA958EB3AD2@SA1PR15MB4370.namprd15.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52087
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
I think the root of confusion here is that bootstrapping mechanisms like DHCP, and perhaps PvD, are sometimes being used among mutually-trusting parties, sometimes among mutually-distrusting parties, and often somewhere in-between. Configuration elements that make sense in one of these contexts are often unusable in the other. I think the best solution is usually to move the configuration element out of these multi-use protocols, to a single-purpose system where this kind of conflict doesn't arise. In this case, that might mean a BCP that says "transmit your PAC file URL through your device provisioning channel". If the information must be conveyed in a "dual use" channel like PvD, it may help to emphasize that the information is only to be used for networks that the client regards as sufficiently "trusted". --Ben Schwartz ________________________________ From: Josh Cohen <joshco@gmail.com> Sent: Thursday, July 18, 2024 12:37 PM To: Watson Ladd <watsonbladd@gmail.com> Cc: David Schinazi <dschinazi.ietf@gmail.com>; int-area@ietf.org <int-area@ietf.org>; ietf-http-wg@w3.org <ietf-http-wg@w3.org> Subject: Re: [Int-area] New version of WPADNG Lots of good info here. Bernard said: In RFC 5505, the IAB took on this question, separating basic IP configuration (which has in practice proved difficult to secure) from application-layer configuration (which can be postponed until later Lots of good info here. Bernard said: * In RFC 5505, the IAB took on this question, separating basic IP configuration (which has in practice proved difficult to secure) from application-layer configuration (which can be postponed until later in the boot process when security facilities are available to secure it). Through the lens of RFC5505, that leads towards DNSSD. Is DNSSD considered safer than DHCP? Paul said: * It's necessary for edge devices to securely learn the security policies of a network, for example a proxy if any and the cert or will offer if so. We're working around DoH policy signaling using the DNS server itself but it's slow going. I read the Mozilla support pages for DNS over HTTPS (DoH): Are you involved with this Mozilla work? https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https<https://urldefense.com/v3/__https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https__;!!Bt8RZUm9aw!7DnECYLfc3Kw-CB-cs9W6Q6AgTvTEDFIU_d1Dpiiwc6r8wiAIhvPFPRxgPxs8oDBtq0LDvI32Q$> https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet<https://urldefense.com/v3/__https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet__;!!Bt8RZUm9aw!7DnECYLfc3Kw-CB-cs9W6Q6AgTvTEDFIU_d1Dpiiwc6r8wiAIhvPFPRxgPxs8oDBtq0cyQm1KA$> The solution to detect when not to use DoH is a canary domain: use-application-dns.net<https://urldefense.com/v3/__http://use-application-dns.net__;!!Bt8RZUm9aw!7DnECYLfc3Kw-CB-cs9W6Q6AgTvTEDFIU_d1Dpiiwc6r8wiAIhvPFPRxgPxs8oDBtq2RIFdfbw$>. Can you shed light on this choice vs DHCP or DNSSD? Paul said: * I'd like to be able to verifiably inform each connecting device about the network owner's policy demands so that the device can decide whether to accept those terms or remain offline. Tommy Pauly said: * I do think there is room for network-discovered proxies, and I’d like to continue to explore how to do that safely in the realm of the PvD-based discovery. I think the cases are going to be more limited there — cases of the network saying “I have this proxy I suggest using because it is well-optimized for my network, if it’s on your trusted list of proxies, then please use it"… From what I've read of PVD a network's preference for DoH could be expressed in a PVD. A network's PVD could be discovered by either DHCP or DNSSD On Thu, Jul 18, 2024 at 9:29 AM Josh Cohen <joshco@gmail.com<mailto:joshco@gmail.com>> wrote: On Wed, Jul 17, 2024 at 11:00 PM Watson Ladd <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>> wrote: On Wed, Jul 17, 2024, 7:36 PM Josh Cohen <joshco@gmail.com<mailto:joshco@gmail.com>> wrote: > > You lost me with the nuclear submarine reference. I'm guessing instead of a terminal room, the IETF now has a navy? https://en.m.wikipedia.org/wiki/USS_Jimmy_Carter<https://urldefense.com/v3/__https://en.m.wikipedia.org/wiki/USS_Jimmy_Carter__;!!Bt8RZUm9aw!7DnECYLfc3Kw-CB-cs9W6Q6AgTvTEDFIU_d1Dpiiwc6r8wiAIhvPFPRxgPxs8oDBtq30-AGPQA$> She wasn't made for sitting around. > > The coffee shop gives you your IP address, default route to the Internet, DNS servers and other DHCP options. It often has a captive portal, which may also have a transparent proxy that filters, can eavesdrop or otherwise abuse you. It is *their* network after all, you are just a guest. That's aside from chai latte sipping wifi snoopers and the general jungle of public wifi. So what's WPAD doing here? It's just another way to get that traffic to the wrong place. Again, the Internet threat model has the network be untrusted. That might be bad news for the vendors of devices that don't work that way, but that's what the RFC and design says. And indeed the coffee shop router shouldn't be trusted. I am having dejavu. We had a similar debate 25 years ago. Proxy servers in general weren't exactly popular because they violate the end-to-end ethos. With respect to the network being untrusted, enterprises will push back on that. They will do things that seem draconian. > > > I'm definitely getting the "WPAD suxorz" vibe, but what's missing are answers to how scenarios WPAD currently addresses will be addressed without it. > > At work, your computer uses your enterprise's proxy. When you arrive at the coffeeshop, will you go into your computer's settings and turn off the proxy? When you go back to work the next day, will you go back into your settings and turn it on again? I think this scenario is due to some fundamental confusion. What is the enterprise proxy doing? Why is it safe to turn off that function at the coffeeshop or entrust it to some random person given the computer will be back on the network the next day? And if the enterprise network needs to administer hosts, it can do that through much better ways. I was assuming a situation where the enterprise proxy is not accessible from outside of the enterprise network. > > > > On Wed, Jul 17, 2024 at 7:50 PM Watson Ladd <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>> wrote: >> >> One adversary is willing to devote an entire nuclear submarine to the >> task. They are more than willing to use existing vulnerabilities in >> ways that you never hear about because they are good at their jobs. >> >> If you use network links to configure your device, and the device goes >> to the coffeeshop, that coffeeshop gets to configure the device. >> That's just inherently a bad idea, and always has been. >> >> Sincerely, >> Watson Ladd >> >> -- >> Astra mortemque praestare gradatim > > > > -- > > --- > Josh Cohen -- --- Josh Cohen -- --- Josh Cohen
- New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG David Schinazi
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Watson Ladd
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Tommy Pauly
- Re: [Int-area] New version of WPADNG Watson Ladd
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Josh Cohen
- Re: [Int-area] New version of WPADNG Ben Schwartz