Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

Patrick McManus <mcmanus@ducksong.com> Fri, 07 October 2016 14:39 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F4E1129523 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 7 Oct 2016 07:39:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.416
X-Spam-Level:
X-Spam-Status: No, score=-9.416 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sendgrid.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T2UmaZlJb5lI for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 7 Oct 2016 07:39:21 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E25CE1294B7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 7 Oct 2016 07:39:20 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bsWEr-0005PH-57 for ietf-http-wg-dist@listhub.w3.org; Fri, 07 Oct 2016 14:35:05 +0000
Resent-Date: Fri, 07 Oct 2016 14:35:05 +0000
Resent-Message-Id: <E1bsWEr-0005PH-57@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net>) id 1bsWEl-0003qQ-Hb for ietf-http-wg@listhub.w3.org; Fri, 07 Oct 2016 14:34:59 +0000
Received: from o1.7nf.fshared.sendgrid.net ([167.89.55.67]) by lisa.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA256:128) (Exim 4.80) (envelope-from <bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net>) id 1bsWEh-000585-RC for ietf-http-wg@w3.org; Fri, 07 Oct 2016 14:34:58 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=mime-version:in-reply-to:references:from:subject:to:cc:content-type; s=smtpapi; bh=60zB7JTpTNNt/cBptFXrdvxC2Qc=; b=RTRcmefrvoQm/tCe0o YbhkBMk44ENOBrzPc8RUt7KlGAkrAjVP7XYf5WBWnjl0sQnvc2m7UwCEt1vkM8Go TxC589kR6IegZ0wB2/YoxMRGn1aD5K0L8dqI2p2Cqr9sf7Lt1NUi/Frpn5UoJORm FJyD13ZzlSkAHuHltzKQZVFO4=
Received: by filter0942p1mdw1.sendgrid.net with SMTP id filter0942p1mdw1.28337.57F7B2464F 2016-10-07 14:33:42.967132904 +0000 UTC
Received: from mail-io0-f169.google.com (mail-io0-f169.google.com [209.85.223.169]) by ismtpd0001p1iad1.sendgrid.net (SG) with ESMTP id sY37M28tQEiynAlToz0k9Q for <ietf-http-wg@w3.org>; Fri, 07 Oct 2016 14:33:42.999 +0000 (UTC)
Received: by mail-io0-f169.google.com with SMTP id j37so48979411ioo.3 for <ietf-http-wg@w3.org>; Fri, 07 Oct 2016 07:33:42 -0700 (PDT)
X-Gm-Message-State: AA6/9Rkcbr6OynV/78UCOSkfKG93UO8romaOCN56QR8mMohV7eAi1t46DUsDclixQcUEaWjYRLPESg/wX5A8bw==
X-Received: by 10.107.57.84 with SMTP id g81mr15315179ioa.178.1475850822230; Fri, 07 Oct 2016 07:33:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.113.65 with HTTP; Fri, 7 Oct 2016 07:33:41 -0700 (PDT)
In-Reply-To: <CABkgnnXC2QxaTqKWRORgxZ4a74sr_ALDMv9KeY4WKSGajVuj=Q@mail.gmail.com>
References: <20161004160321.DFB4C111E5@welho-filter1.welho.com> <BN6PR03MB27082C2CF4DC3F8F82354FDE87C50@BN6PR03MB2708.namprd03.prod.outlook.com> <201610050451.u954pomK003643@shell.siilo.fmi.fi> <CAOdDvNpRN_trGi23BpqUxmaLoLvom9+Yiew0GkNkhgwvqw4Bew@mail.gmail.com> <CABkgnnVKeqnyqhgL=jx1WqtcByqHes25XDJ684J+rNwvQt+znQ@mail.gmail.com> <201610051336.u95DaAW2020152@shell.siilo.fmi.fi> <CABkgnnVaBVE8mUxuGXYe-WeM_OkiNHcA=egnb1-nOxtdujShfw@mail.gmail.com> <201610051616.u95GGWcI031833@shell.siilo.fmi.fi> <BN6PR03MB2708B42C6964AA22AF8FFDC487C40@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnVJ7VRBH4VeGODkSUXdW9XHs8AjB_M0mm8Kt=nv3djvEg@mail.gmail.com> <BN6PR03MB27081C5CF95FB443BB4C155B87C70@BN6PR03MB2708.namprd03.prod.outlook.com> <CAOdDvNrr5Y2X14vVZjrs8uJw1pE74qP83=cniA24UpUdc855hA@mail.gmail.com> <CABkgnnXC2QxaTqKWRORgxZ4a74sr_ALDMv9KeY4WKSGajVuj=Q@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Fri, 7 Oct 2016 16:33:41 +0200
X-Gmail-Original-Message-ID: <CAOdDvNr0V16ewNxC5_R08SSYNg5DKDAXy1d5cJ+OTuwY5mcx_w@mail.gmail.com>
Message-ID: <CAOdDvNr0V16ewNxC5_R08SSYNg5DKDAXy1d5cJ+OTuwY5mcx_w@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, Mike Bishop <Michael.Bishop@microsoft.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>, HTTP working group mailing list <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary=001a114ac1e60054cf053e474c77
X-SG-EID: YLWet4rakcOTMHWvPPwWbcsiUJbN1FCn0PHYd/Uujh6T8BNToZF+XFy3Xi1YB6EsmrjxQYaNGKgVep XNYuIpN8zZl0iPB8D1yfWg7bjG+9MvaQURZcPTK6ywgtwaCxK7IbDCr/3xgI41APbt/ocBEPZkIJDc YcBPjJS1jVAYd+vEi0LOUeypnM5KvdDc2JG+PQLuoljWjpUS0XZ/kHhGvnjIqydaV1nZj1kCgucCgW M=
Received-SPF: pass client-ip=167.89.55.67; envelope-from=bounces+1568871-208f-ietf-http-wg=w3.org@sendgrid.net; helo=o1.7nf.fshared.sendgrid.net
X-W3C-Hub-Spam-Status: No, score=-6.5
X-W3C-Hub-Spam-Report: AWL=0.180, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-2.676, SPF_PASS=-0.001, URIBL_GREY=0.424, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1bsWEh-000585-RC da640bea64bb1fb6c66dd720c0e25499
X-Original-To: ietf-http-wg@w3.org
Subject: Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Archived-At: <http://www.w3.org/mid/CAOdDvNr0V16ewNxC5_R08SSYNg5DKDAXy1d5cJ+OTuwY5mcx_w@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32520
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, Oct 7, 2016 at 11:54 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 7 October 2016 at 18:45, Patrick McManus <mcmanus@ducksong.com> wrote:
> > I think either the 200 or the json are acceptable here - let's decide.
>
> Me too.  I think that we all now understand the parameters and we have
> a decent chance of being able to document the hazards, so let's pick.
> Shall I get a coin?
>
>
can we consider MUST serve json, MUST verify 200, SHOULD verify json? This
recognizes that the json burden is harder on the client - the server can
just publish a fixed string.

This also recognizes that the party being protected here is the client.
(Nothing in this approach prevents an attacking MITM from just hijacking
regular plaintext h1 and proxying it to port 443 with an http scheme on the
server in the total absence of a .wk.. nothing unless the attacker is
afraid of being declared a non compliant attacker :))

-P