Re: Stephen Farrell's Discuss on draft-ietf-httpbis-tunnel-protocol-04: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 09 June 2015 10:22 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 771101B2B8F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 9 Jun 2015 03:22:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MYDmx_ur_66B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 9 Jun 2015 03:22:36 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21E751B2B8D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 9 Jun 2015 03:22:36 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Z2Gbt-0008Db-8t for ietf-http-wg-dist@listhub.w3.org; Tue, 09 Jun 2015 10:18:21 +0000
Resent-Date: Tue, 09 Jun 2015 10:18:21 +0000
Resent-Message-Id: <E1Z2Gbt-0008Db-8t@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1Z2Gbm-0008C8-Ah for ietf-http-wg@listhub.w3.org; Tue, 09 Jun 2015 10:18:14 +0000
Received: from mercury.scss.tcd.ie ([134.226.56.6]) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1Z2Gbc-0000uj-74 for ietf-http-wg@w3.org; Tue, 09 Jun 2015 10:18:11 +0000
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 50EE1BE49; Tue, 9 Jun 2015 11:17:30 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xqNEPQ1225vu; Tue, 9 Jun 2015 11:17:28 +0100 (IST)
Received: from [172.16.20.132] (62-50-200-74.client.stsn.net [62.50.200.74]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 4B24ABEE2; Tue, 9 Jun 2015 11:17:27 +0100 (IST)
Message-ID: <5576BD36.2010509@cs.tcd.ie>
Date: Tue, 09 Jun 2015 11:17:26 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>
CC: httpbis-chairs@ietf.org, draft-ietf-httpbis-tunnel-protocol.shepherd@ietf.org, draft-ietf-httpbis-tunnel-protocol.ad@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-httpbis-tunnel-protocol@ietf.org, ietf-http-wg@w3.org
References: <20150608130135.22475.59784.idtracker@ietfa.amsl.com> <0D9D95B0-54F0-47BF-9CC8-11BF4E8D763A@mnot.net>
In-Reply-To: <0D9D95B0-54F0-47BF-9CC8-11BF4E8D763A@mnot.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Received-SPF: none client-ip=134.226.56.6; envelope-from=stephen.farrell@cs.tcd.ie; helo=mercury.scss.tcd.ie
X-W3C-Hub-Spam-Status: No, score=-11.6
X-W3C-Hub-Spam-Report: AWL=-1.350, BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1Z2Gbc-0000uj-74 e1f93644dc574242cbf3d1a52af4bb7c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Stephen Farrell's Discuss on draft-ietf-httpbis-tunnel-protocol-04: (with DISCUSS and COMMENT)
Archived-At: <http://www.w3.org/mid/5576BD36.2010509@cs.tcd.ie>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29714
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Mark, That's all good from my POV and I like your suggestion at the end. Cheers, S. On 09/06/15 02:15, Mark Nottingham wrote: > Hi Stephen, > >> On 8 Jun 2015, at 11:01 pm, Stephen Farrell >> <stephen.farrell@cs.tcd.ie> wrote: >> ---------------------------------------------------------------------- >> >> DISCUSS: >> ---------------------------------------------------------------------- >> >> >> >> I think this should be an easy discuss but is needed. RFC 7301 >> says: >> >> Care must be taken when such identifiers may leak personally >> identifiable information, or when such leakage may lead to >> profiling or to leaking of sensitive information. If any of these >> apply to this new protocol identifier, the identifier SHOULD NOT be >> used in TLS configurations where it would be visible in the clear, >> and documents specifying such protocol identifiers SHOULD recommend >> against such unsafe use. >> >> That last sentence seems to imply that you ought replicate such >> guidance here. > > Seems reasonable to me. > >> ---------------------------------------------------------------------- >> >> COMMENT: >> ---------------------------------------------------------------------- >> >> >> >> - I can see situations where I might want to not tell the proxy >> what protocol I'll be using inside TLS and when TLS1.3 hides ALPM >> from the proxy (I hope:-) then could there be value registering a >> "I'm not telling" ALPN value so that a UA wouldn't have to lie to >> the proxy? > > Or the UA could omit the header, or the UA could send the header with > no value. > > >> - I think you ought say what you expect a proxy to do if the ALPN >> header field and the ALPN TLS extension value do not match and I >> think that ought say that a CONNECT recipient in such cases SHOULD >> NOT drop the connection solely on that basis. If they have some >> policy about it fine, but they shouldn't barf just because there's >> a different order or spelling or just a different value. > > Seems reasonable to me. > > >> - Replicating values at multiple protocol layers produces a common >> failure mode where code only uses one copy to do access control or >> authorization or where two nodes in sequence use different copies, >> with unexpected behaviour resulting. I think you should call that >> out in the security considerations section as it keeps happening. > > Again, seems reasonable. > > I wonder if it would be helpful to explicitly motivate it — i.e., say > this header is there to make the information available at the HTTP > layer during CONNECT, so that the server can refuse the connection > gracefully if they like (e.g., with a 403); without it, the server > would have to sniff ALPN in the tunnel and then close the connection > rudely. > > Cheers, > > > -- Mark Nottingham https://www.mnot.net/ >
- Stephen Farrell's Discuss on draft-ietf-httpbis-t… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Mark Nottingham
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Martin Thomson
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Amos Jeffries
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Adrien de Croy
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Mark Nottingham
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Barry Leiba
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Martin Thomson
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Spencer Dawkins at IETF