Re: last call Feedback for Opportunistic Security for HTTP (Experimental)

Mark Nottingham <> Thu, 08 September 2016 00:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5801612B0D7 for <>; Wed, 7 Sep 2016 17:06:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.429
X-Spam-Status: No, score=-8.429 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.508, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UrsiuOpgulIA for <>; Wed, 7 Sep 2016 17:06:09 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DA7F012B0AA for <>; Wed, 7 Sep 2016 17:06:09 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1bhmml-0007S5-QZ for; Thu, 08 Sep 2016 00:01:43 +0000
Resent-Date: Thu, 08 Sep 2016 00:01:43 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1bhmmd-0007QP-Eq for; Thu, 08 Sep 2016 00:01:35 +0000
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <>) id 1bhmmY-0002Uk-UU for; Thu, 08 Sep 2016 00:01:33 +0000
Received: from [] (unknown []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 2755622E256; Wed, 7 Sep 2016 20:01:05 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Mark Nottingham <>
In-Reply-To: <>
Date: Thu, 08 Sep 2016 10:01:03 +1000
Cc: Nick Sullivan <>, Patrick McManus <>, HTTP Working Group <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Mike Bishop <>
X-Mailer: Apple Mail (2.3124)
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-8.3
X-W3C-Hub-Spam-Report: AWL=1.351, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1bhmmY-0002Uk-UU 292566084ac549760fc30f72a113925b
Subject: Re: last call Feedback for Opportunistic Security for HTTP (Experimental)
Archived-At: <>
X-Mailing-List: <> archive/latest/32386
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

> On 8 Sep 2016, at 4:30 AM, Mike Bishop <> wrote:
> I support the theory behind the first change, but I must point out that there’s a substantial procedural hurdle it creates.  If you require strong certificate authentication on the alternate… this is Alt-Svc as already described in an existing Standards-track RFC.  What, precisely, is the experiment this document would describe at that point?  Why do we need an experimental RFC that effectively says “Hey, RFC 7838 – we really meant it!  Try it!”  .wk provides some interesting features we could experiment with, but you can’t require it simply because it’s not in the Alt-Svc spec.  If you’re not doing something different than Alt-Svc, anything you define is inherently an optional extension to it (or a new version).

I agree there's probably more text than necessary (and hopefully we can deforest the document a bit; there's a lot of history in there). 

However, I think *something* is necessary, since using the HTTP URI scheme over a TLS connection isn't described anywhere. You can connect the dots between HTTP, Alt-Svc and the definition of h2, but that's a pretty obscure path...
> The reason it’s currently “fuzzy” is actually very deliberate – RFC 7838 requires “reasonable assurances” that the destination is under the same control as the origin, but defines only one way to do that – certs.  Opp-Sec defines a second, the presence of .wk on both origin and alternate.  It’s optional in that you can use either – but if you don’t want to use certificate validation, then .wk is required as your only other (currently-defined) option.  I think the doc already says that, but if it’s not clear, we should make it clearer.

Right. In Patrick's proposed approach, we'd be using .wk not for Reasonable Assurances in the Alt-Svc sense, but instead to ensure that the alternative has opted into being used in this manner (since it might think it was being served with the HTTPS scheme otherwise).

> I agree that the commitment option in .wk conflicts with that goal a little bit – enhancing .wk to be a more generalized way to add parameters to Alt-Svc is interesting in itself.  If we have a collection of things we want to put in there, that warrant the new RFC on its own.  But you’re proposing eliminating both purposes that it currently serves, while retaining it, which is… interesting.  J
> From: Nick Sullivan [] 
> Sent: Wednesday, September 7, 2016 10:49 AM
> To: Patrick McManus <>; HTTP Working Group <>
> Subject: Re: last call Feedback for Opportunistic Security for HTTP (Experimental)
> I support this change. Requiring certificate validation for opportunistic security makes it more robust and simplifies the logic around retroactively applying certificate validation to the .wk if the tls-commit is present.
> Nick
> On Wed, Sep 7, 2016 at 10:28 AM Patrick McManus <> wrote:
> Hi all - Firefox Implementer Hat on here.
> Nick @cloudflare and I have been working on implementing the - which is in wg last call on the experimental track.
> Based on that experimental work, I'm going to recommend a few changes to the document before sending to IETF LC. I'll open issues on these too when I get a chance.
> 1] opportunistic security should require TLS authentication. Any other approach undermines the opt-in mechanism of .wk. As the PKI market has matured to allow truly free and automated certs certificate availability is no longer the chief barrier to https, and so opportunistic security should feel comfortable requiring real authentication. (THERE IS NO PROPOSED CHANGE IN THE SECURITY MODEL - HTTP:// IS STILL HTTP:// AND NOT GRANTED HTTPS:// STATUS AT ALL). The biggest barrier to https:// at this point seems to be mixed content.
> 2] /.well-known/http-opportunistic should always be required. The current doc is actually a little fuzzy on this, I think by accident. It refers to this as an "additional mechanism" in addition to authentication. But .wk does not really play the same role - it allows the server to opt-in to being an alternate for specific origins on specific ports. So if we're going to use it - we should always use it. (This has no bearing on https:// alt-svc, this is just about http:// as that is all this doc governs).
> 3] get rid of tls-commit (i.e. the latch to opp sec) as this plays very poorly with alt-svc. The notion of alt-svc has always been that it is a shortcut route (or dns name if your prefer) for the same content as supplied at the default origin. If for any reason you cannot get there, you can always go back to the default origin. All of the machinery around this (validating alternates, etc) can happen transparently and asynchronously in the background until they are ready to be used. A mechanism that requires a characteristic of a route (auth'd TLS) but not the route itself doesn't play well - its far too easy to brick your site for an extended period of time and really ceases to be opportunistic in any meaningful sense. If you're up to managing this, then you're probably up to the fight of running https:// and using HSTS which at least has the benefit of not bringing a whole second technology (alt-svc) into play.
> Let me know what you think.
> -Patrick

Mark Nottingham