IETF Logo Mail Archive

Re: IETF HTTPBIS I-D submission - please review draft-sandowicz-httpbis-httpa2

Martin Thomson <mt@lowentropy.net> Wed, 19 October 2022 00:24 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C94DC1524C1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Oct 2022 17:24:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.759
X-Spam-Level:
X-Spam-Status: No, score=-7.759 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=UlRHXOCV; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=YwObGG5I
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUwP1Yg5tMAN for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Oct 2022 17:24:16 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2796C1524B1 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 18 Oct 2022 17:24:16 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1okwpt-0028ZZ-SO for ietf-http-wg-dist@listhub.w3.org; Wed, 19 Oct 2022 00:21:29 +0000
Resent-Date: Wed, 19 Oct 2022 00:21:29 +0000
Resent-Message-Id: <E1okwpt-0028ZZ-SO@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <mt@lowentropy.net>) id 1okwpp-0028YR-N7 for ietf-http-wg@listhub.w3.org; Wed, 19 Oct 2022 00:21:25 +0000
Received: from out5-smtp.messagingengine.com ([66.111.4.29]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <mt@lowentropy.net>) id 1okwpn-00FPkd-8P for ietf-http-wg@w3.org; Wed, 19 Oct 2022 00:21:25 +0000
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 9A7FE5C00C3 for <ietf-http-wg@w3.org>; Tue, 18 Oct 2022 20:21:11 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Tue, 18 Oct 2022 20:21:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1666138871; x= 1666225271; bh=RJQM5xv2kEKwEUlMIBm7yUgdviJ6mb3jbsMP4vkZK3Y=; b=U lRHXOCVtL+qgtP+JfXi9FiGb+mwmLGYgGexKNe3jkmCqvAJd4NFt5KQYA5EMp0Ft gDH8xBOUNne/Ve7dDKdjtZ1zTqnTS2EABfsDd2lFXgTdQJ5oGx0yA5MPIlGYEH1H cVZgq3RIDWKWF/YtdbaSVqGvE9fDXIMh8Q9kM1HlT7hdkLY7EHujHw0Vv/ejatiw hgXFH6eihvGExtOpbgo881kaR2kx2p2Tv9o/3V4SY+XawCUeqbxhnhNQ5pi2o1Mi g8TSi775LYP/6idEbBGPLn93nArrmOc+BbjycCCFGT8M8SGWfz1dR8wK/HQUBNlZ 5w9Rca9A8Lj9idPXkR/Gw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:feedback-id:feedback-id:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1666138871; x=1666225271; bh=R JQM5xv2kEKwEUlMIBm7yUgdviJ6mb3jbsMP4vkZK3Y=; b=YwObGG5I8UisF/Tlu xjGDTdatZNAf12g3cOwl2Al1Llm0vE0COaKVibR4Vu41G992VjMUzSlOHn44K3PF oPBO8my1KJ3IaS4rFZ+NBvd1QWPp8mVEBPislKm7XvgqpyDne5t3j5vjeGB+3p0R eAtssMkGR2bB6xy6yKClyDy/svJdy3AjpnptU/zeA3dBKaT1i0Fj3VN2T+oQLZBm OWa5htGrsTy6QFgqYb+RaZMgjZCbpfF7hpgBFNJGGII/XLfwISEuXFNpgLLbXJpX IyaH+p7t6GnMPqnkmX0lXtPQHWY/N7u9LqKYGiWhcpreGdrNfaMG7vmBjokJ7cTq kTPAg==
X-ME-Sender: <xms:90JPYwkHXAdNaY9gdkMsxlLdGLmNMLa_bnUc9EyZChCtw7eZHRIgFQ> <xme:90JPY_0ww2IEnfzvRbhTHCq-2Qt5N1hREtOb01SJMkenJprYcOKp5nsOzKREVWDDb cYPWz5LHabrflrEZbU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfeelfedgfeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehl ohifvghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepuefhleejledvvdegfe eigeeikeegvedujedtvdeutdehgeeutedukeeuudevlefgnecuffhomhgrihhnpehhthht phdqrhgvlhgrthgvugdrohhnvgdphhhtthhpohhrfhhorhgrnhgvfiifghhtohgsvghfoh hrmhgvughorhhfohhrnhhorggtthhiohhnrdhinhenucevlhhushhtvghrufhiiigvpedt necurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:90JPY-qBu_FRkWetQVZnbOMp5iEgE58Pz4T5ZAnqUHFBf8_UGckmkw> <xmx:90JPY8n4KVj9kDG2PH8dEcrnNBH3IA5VKiCMTw0CnzPMGQ_TYH5eTQ> <xmx:90JPY-1H8yLJI6oC7wpN_LWsFP38O03ua0pEKYbbmDpJLY6xMKcunA> <xmx:90JPY_Dp2EKt--Vfekj_4cP5-P8TRPCtGpITtm-kZrVezGFxflc7Zw>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 6DBA3234007B; Tue, 18 Oct 2022 20:21:11 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-1047-g9e4af4ada4-fm-20221005.001-g9e4af4ad
Mime-Version: 1.0
Message-Id: <53f7f09e-8c75-4fe2-86a0-8c3a38e7f16c@betaapp.fastmail.com>
In-Reply-To: <41C874A5-B6E3-40AA-95DD-4044938D7E2A@mnot.net>
References: <SJ0PR11MB50860B6C41B4AD7439E03CCDFF229@SJ0PR11MB5086.namprd11.prod.outlook.com> <2D1C5FC2-B904-4E5C-A9FE-ED91EFE9EDB2@mnot.net> <SJ0PR11MB508683F38E26D37FDCEF35F6FF259@SJ0PR11MB5086.namprd11.prod.outlook.com> <SJ0PR11MB508691A7509410126D2D1721FF289@SJ0PR11MB5086.namprd11.prod.outlook.com> <41C874A5-B6E3-40AA-95DD-4044938D7E2A@mnot.net>
Date: Wed, 19 Oct 2022 11:20:54 +1100
From: Martin Thomson <mt@lowentropy.net>
To: ietf-http-wg@w3.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=66.111.4.29; envelope-from=mt@lowentropy.net; helo=out5-smtp.messagingengine.com
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=lowentropy.net), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=messagingengine.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-7.1
X-W3C-Hub-Spam-Report: BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1okwpn-00FPkd-8P 4745b650c37d0d1a7b61d7df33f378b2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: IETF HTTPBIS I-D submission - please review draft-sandowicz-httpbis-httpa2
Archived-At: <https://www.w3.org/mid/53f7f09e-8c75-4fe2-86a0-8c3a38e7f16c@betaapp.fastmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40467
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I agree with everything Mark says here, but I want to add one bit of colour: The disposition of the HTTP working group toward this work is likely to be seriously considered in any "dispatch" process (I suggest SECDISPATCH).  So requesting feedback here is a good way to improve the chances of a positive outcome there.  I would say the same - though to a lesser extent perhaps - for the RATS WG and other groups that are working in the general area of attestations and "trusted" computing.

As I've noted elsewhere, from my perspective, I am not able to provide any truly substantial feedback on this work until it gains greater clarity.  I would recommend finding time to talk about use cases, problem statements, and threat models a little more before revising the draft and then seeking to engage with the "dispatch" process.

Cheers,
Martin

On Wed, Oct 19, 2022, at 09:52, Mark Nottingham wrote:
> Hello Krzysztof,
>
> I can see your draft on the data tracker now.
>
> For the HTTP WG to adopt a draft, we need to see that there's both 
> interest in implementing it and consensus to adopt it. The best way to 
> do that is to circulate the draft on the mailing list (which you've now 
> done) -- if there's interest, people will express it there.
>
> We also need to assure that it's in-scope for the group; sometimes, 
> it's better to take work into a separate group, even though it's 
> HTTP-related. One way to do that is to take it to the DISPATCH and/or 
> SECDISPATCH Working Group, so that the broader community can have a 
> discussion about what an appropriate path forward is. 
>
> Note that this is not a simple 'reject/approve' decision -- building 
> consensus to do work usually takes considerable time and effort. If 
> work starts (either in an existing group or a new one), the document 
> will at *most* be a starting point for work, and there will need to be 
> consensus demonstrated on its contents and all their details. 
>
> Importantly, change control for the document (if adopted as a starting 
> point for work) will transfer from the authors to the IETF. That means 
> that as authors, you will have no greater rights to determine what it 
> contains than anyone else in the process.
>
> As I said before, my recommendation would be to take this document to 
> DISPATCH and/or SECDISPATCH, to present it to the broader community. 
> This is not a review process; it's presenting your draft for discussion 
> and a recommendation as to a path forward. That recommendation might be 
> to send it for consideration by an existing WG (like HTTP), or for a 
> new WG to be formed, or for no action. In the latter case, you're 
> welcome to continue working on the draft to try to address feedback you 
> receive.
>
> Hope this helps,
>
>
>> On 19 Oct 2022, at 2:25 am, Sandowicz, Krzysztof <krzysztof.sandowicz@intel.com> wrote:
>> 
>> Hi,
>> Please let me know what is the next step in IETF process regarding Internet-Draft (draft-sandowicz-httpbis-httpa2) submitted by me?
>> Please confirm that you can find my draft on the datatracker?
>> 
>> I assumed that submitted draft is decided to be either rejected or approved by any WG and then its name is changed
>> from
>> 	draft-(author)-(group)-(subject)-(version) (i.e. draft-sandowicz-httpbis-httpa2-00)
>> into
>> 	draft-(source)-(group)-(subject)-(version) (i.e. draft-ietf-httpbis-httpa2-00)
>> 
>> and then I should expect feedback from WG which adopt/approve the submission.
>> 
>> Regards,
>> Krzysztof
>> 
>> -----Original Message-----
>> From: Sandowicz, Krzysztof 
>> Sent: Thursday, October 13, 2022 12:25 PM
>> To: Mark Nottingham <mnot@mnot.net>
>> Cc: francesca.palombini@ericsson.com; tpauly@apple.com; Murray S. Kucherawy <superuser@gmail.com>
>> Subject: RE: IETF HTTPBIS I-D submission - please review draft-sandowicz-httpbis-httpa2
>> 
>> Mark,
>> Thank you for quick response.
>> I didn't receive any email to confirm posting before. 
>> I could find it on: https://datatracker.ietf.org/submit/status/ using our I-D name: draft-sandowicz-httpbis-httpa2 I just updated submitter information in our submission on datatracker.ietf.org, so submission status has chaned to 'Posted'. Please try again.
>> 
>> Yes, we prepared HTTPA/2 which is newer version of our https://arxiv.org/abs/2110.07954
>> 
>> I thought that it is internal IETF decision which WG would review I-D. That's why I submitted it to HTTPBIS, but I will also send email to DISPATCH and SECDISPATCH WG.
>> Thank you for feedback about a name 'HTTPA'. I let authors to change it in newer version.
>> 
>> Regards,
>> Krzysztof
>> 
>> -----Original Message-----
>> From: Mark Nottingham <mnot@mnot.net>
>> Sent: Thursday, October 13, 2022 1:38 AM
>> To: Sandowicz, Krzysztof <krzysztof.sandowicz@intel.com>
>> Cc: francesca.palombini@ericsson.com; tpauly@apple.com; Murray S. Kucherawy <superuser@gmail.com>
>> Subject: Re: IETF HTTPBIS I-D submission - please review draft-sandowicz-httpbis-httpa2
>> 
>> [ CCing in Murray as AD, since Francesca is on leave ]
>> 
>> Hello Krzysztof,
>> 
>> I can't find your draft on the datatracker -- did you follow the link in the email you received to confirm posting?
>> 
>> Assuming that your proposal is along the lines of this paper: <https://arxiv.org/abs/2110.07954>, there are a few things to consider. 
>> 
>> The HTTP Working Group is definitely the body who would assure that the proposed extension uses HTTP in an appropriate manner. 
>> 
>> Sometimes, extensions like this are standardised directly by the HTTP Working Group, because they are sufficiently generic that they're likely to be broadly applicable -- for example, the in-process Signatures draft <https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html>.
>> 
>> In other cases, there's a specific community focused on the applicable use cases, and the work is carried out in a separate Working Group that liaises with the HTTP Working Group. For example, the MASQUE Working Group <https://ietf-wg-masque.github.io> is defining extensions to HTTP for very specific uses.
>> 
>> There are a number of factors that go into determining which approach is appropriate, but before that it's necessary to determine whether the IETF believes the work should commence. So, I'd recommend taking your work to one or both of the DISPATCH and SECDISPATCH Working Groups, who are set up to answer these questions (in the ART and SEC areas, respectively). See:
>>  https://datatracker.ietf.org/wg/dispatch/about/
>>  https://datatracker.ietf.org/wg/secdispatch/about/
>> 
>> Specifically, I think your next step is to send an e-mail to one or both of those mailing lists asking for time at IETF115. If you ask for time at both, it's polite to tell them that.
>> 
>> Separately, you should know that there's likely to be a strong negative reaction to a name like "HTTPA." There's a widely-held belief that giving HTTPS a separate name to denote a security property was a mistake that we would undo if we could. Calling this something like "Attestation Extensions for HTTP" is likely to get a better reaction.
>> 
>> Cheers,
>> 
>> 
>>> On 12 Oct 2022, at 8:24 pm, Sandowicz, Krzysztof <krzysztof.sandowicz@intel.com> wrote:
>>> 
>>> Hi,
>>> In the name of group of people working on an extension to HTTP protocol with attestation called: “The Hypertext Transfer Protocol Attestable (HTTPA)” I submitted our Internet-Draft to IETF.
>>> Please find it on: https://datatracker.ietf.org/submit/status/ using 
>>> our I-D name: draft-sandowicz-httpbis-httpa2
>>> 
>>> I receive information from IETF support that I should ask you (HTTPBIS WG) to ask for review of the document in order to progress it to getting adopted by a working group.
>>> Please let me know what do you need from me to proceed with IETF process to publish RFC.
>>> 
>>> Regards,
>>> Krzysztof Sandowicz
>>> 
>>> ======================================================================
>>> ======= Cloud Software Architect, Intel Product Assurance & Security / 
>>> Security Software and Services Direct (Poland): +48 (58) 766 1619,
>>> iNET: 8-348-1619
>>> ======================================================================
>>> =======
>>> 
>>> 
>>> Intel Technology Poland sp. z o.o.
>>> ul. Słowackiego 173 | 80-298 Gdańsk | Sąd Rejonowy Gdańsk Północ | VII Wydział Gospodarczy Krajowego Rejestru Sądowego - KRS 101882 | NIP 957-07-52-316 | Kapitał zakładowy 200.000 PLN.
>>> Spółka oświadcza, że posiada status dużego przedsiębiorcy w rozumieniu ustawy z dnia 8 marca 2013 r. o przeciwdziałaniu nadmiernym opóźnieniom w transakcjach handlowych.
>>> 
>>> Ta wiadomość wraz z załącznikami jest przeznaczona dla określonego adresata i może zawierać informacje poufne. W razie przypadkowego otrzymania tej wiadomości, prosimy o powiadomienie nadawcy oraz trwałe jej usunięcie; jakiekolwiek przeglądanie lub rozpowszechnianie jest zabronione.
>>> This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by others is strictly prohibited.
>>> 
>> 
>> --
>> Mark Nottingham   https://www.mnot.net/
>> 
>> ---------------------------------------------------------------------
>> Intel Technology Poland sp. z o.o.
>> ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN.
>> Spolka oswiadcza, ze posiada status duzego przedsiebiorcy w rozumieniu ustawy z dnia 8 marca 2013 r. o przeciwdzialaniu nadmiernym opoznieniom w transakcjach handlowych.
>> 
>> Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione.
>> This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by others is strictly prohibited.
>
> --
> Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email