Re: Genart last call review of draft-ietf-httpbis-client-hints-13
Yoav Weiss <yoav@yoav.ws> Fri, 08 May 2020 04:37 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 334243A003C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 7 May 2020 21:37:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.65
X-Spam-Level:
X-Spam-Status: No, score=-2.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yoav-ws.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13J0BIlrnzrl for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 7 May 2020 21:37:17 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 232F43A003B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 7 May 2020 21:37:16 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jWuiV-0002pu-MA for ietf-http-wg-dist@listhub.w3.org; Fri, 08 May 2020 04:34:31 +0000
Resent-Date: Fri, 08 May 2020 04:34:31 +0000
Resent-Message-Id: <E1jWuiV-0002pu-MA@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <yoav@yoav.ws>) id 1jWuiU-0002p3-35 for ietf-http-wg@listhub.w3.org; Fri, 08 May 2020 04:34:30 +0000
Received: from mail-lj1-x230.google.com ([2a00:1450:4864:20::230]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <yoav@yoav.ws>) id 1jWuiR-0004bn-4q for ietf-http-wg@w3.org; Fri, 08 May 2020 04:34:29 +0000
Received: by mail-lj1-x230.google.com with SMTP id e25so249765ljg.5 for <ietf-http-wg@w3.org>; Thu, 07 May 2020 21:34:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yoav-ws.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wV2UhQaSoniRnjcCnVAHBBMfQ6r3UeG3UxAkWPYKyC8=; b=k8Ux73lDC/H6EuvYu8uW+31gAU46pikbcFOp1ZHq1G1zErdmS++N17zDqlOkNR5NJv ftmCgv/VDXYV32D96UVuEjCr36G50gHbwfRKOlsiSJ/Rfvs+T7lCBIt5ro0oxqxR74FE ulcWn3/VRqTgLmA+6w4s3xPYOlMWbCMfrHC6cnzmb1vXVisKXs3+WNerjxM2V+OTJrWc YDAeiFm5SgWKYScKhuuxjQiwWYujmDBLtJCPfF2hxn4x3J2GzqmKAF+LP0RjsfhzEhXG PRXXWcAYIEnvSKZu3pB21U9YKEgfITy4qemOmMJeUO/6ZxD7kVo+diy1hjbUKybzy44g 2RZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wV2UhQaSoniRnjcCnVAHBBMfQ6r3UeG3UxAkWPYKyC8=; b=mthPhctdxW+4CDqlusRbxWYo5c7EgexDQ8WmGeRC5ss3lxwU8974sHx1OAsUal430h Qj9YDkAgWrQoItE5MYDyc+YDJ9pDLnxsKXv/OrEPYsVjpRfynJWZUJul6kOrhprGL0je ZEUzT9B0yXgHG5RGIscdHolHMulb3TgQD4e3Kgv8F9urhQBmjvyqjiX7lGStlKPHATPy XHf43+KQWS15RZzmv2YScVjX8g3g6wjEloniVznX86wPbCPZo40x/BzQz+BlcJCNenXD kvwVcWtP1QKj5dlBFYJESDJKgbgU0VQh4K2+K7kbJQ6pYXscQzaELeuGFYnjIsSrq24U rMgQ==
X-Gm-Message-State: AOAM531KpJPD18w61ez2xZyPVft5hFp5E3DW7A2mxJLocaa1Fs7wzQEo fLvYaDvy1jLJiPA+YcRDxQUffQA7fp1+LfBCtWKezw==
X-Google-Smtp-Source: ABdhPJyvqRZBufmHpYgyqwvUDrSTA4nlh9V+qvTkAyt2AL4mt0+GOsk074/1RWAaowcQSIGyvMnKZ2GcO9JJ6HtK6p8=
X-Received: by 2002:a05:651c:1055:: with SMTP id x21mr352013ljm.210.1588912454310; Thu, 07 May 2020 21:34:14 -0700 (PDT)
MIME-Version: 1.0
References: <158837305177.24719.21462684096579298@ietfa.amsl.com> <CACj=BEhNqVRxQagFmJ4sbXrn=YOWAYPBqODw_rL7MZbUDjNq5w@mail.gmail.com> <A2613BDC-7577-4BED-8AB5-4799973A1586@ericsson.com> <CACj=BEivQgTBrznaHjmdgOP+1O9fRR7xtX2m_u3JMV4eGfkqFQ@mail.gmail.com> <4243CEA9-67C6-4D3D-A554-9911847CA782@ericsson.com> <CACj=BEhXjntmamP_MMw6kkiXRwOX2B-j8-Ho6EJzPtwPQGoQaQ@mail.gmail.com> <CACj=BEjhnWAQV4Odo3P3yVpmTmVZg=bCgiJrzXE87mCjCzg_YA@mail.gmail.com> <CALaySJK3RULGGBPeR0E-9-r3MGwWeQA-HmGQ9cQ3imrHkktqqw@mail.gmail.com>
In-Reply-To: <CALaySJK3RULGGBPeR0E-9-r3MGwWeQA-HmGQ9cQ3imrHkktqqw@mail.gmail.com>
From: Yoav Weiss <yoav@yoav.ws>
Date: Fri, 08 May 2020 06:33:58 +0200
Message-ID: <CACj=BEjXkrAZ2R6=S2Ci9A0ynxxjftLg0wHJupYkPdf0BSexSQ@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: Christer Holmberg <christer.holmberg@ericsson.com>, "draft-ietf-httpbis-client-hints.all@ietf.org" <draft-ietf-httpbis-client-hints.all@ietf.org>, "gen-art@ietf.org" <gen-art@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "last-call@ietf.org" <last-call@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006b33f505a51b8225"
Received-SPF: pass client-ip=2a00:1450:4864:20::230; envelope-from=yoav@yoav.ws; helo=mail-lj1-x230.google.com
X-W3C-Hub-Spam-Status: No, score=-8.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jWuiR-0004bn-4q 1950f8aef2618e802ae16258af0e1afc
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Genart last call review of draft-ietf-httpbis-client-hints-13
Archived-At: <https://www.w3.org/mid/CACj=BEjXkrAZ2R6=S2Ci9A0ynxxjftLg0wHJupYkPdf0BSexSQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37588
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Thu, May 7, 2020 at 3:07 PM Barry Leiba <barryleiba@computer.org> wrote: > Please post a revised I-D when you’re ready; thanks. > Will do as soon as the PR <https://github.com/httpwg/http-extensions/pull/1171> is approved and landed. > > Barry > > On Thu, May 7, 2020 at 6:02 AM Yoav Weiss <yoav@yoav.ws> wrote: > >> Addressed the latest points in the PR. Thanks! :) >> >> On Wed, May 6, 2020 at 3:20 PM Yoav Weiss <yoav@yoav.ws> wrote: >> >>> >>> >>> On Wed, May 6, 2020 at 2:43 PM Christer Holmberg < >>> christer.holmberg@ericsson.com> wrote: >>> >>>> Hi Yoav, >>>> >>>> >> I have not received the pull request yet, so I will comment only >>>> based on your e-mail reply :) >>>> > >>>> > Apologies for the delay. PR is now up at >>>> https://protect2.fireeye.com/v1/url?k=0a42e34e-54e25920-0a42a3d5- >>>> > >>>> 869a14f4b08c-11c3f32cbd74f2f2&q=1&e=978d85da-fab3-4523-a8d9-447aa6bdf056&u= >>>> https://github.com/httpwg/http-extensions/pull/1171 >>>> >>>> Thanks! >>>> >>>> I think it looks ok. >>>> >>>> BTW, are high-entropy and low-entropy defined and well-known HTTP terms? >>>> >>> >>> I'm not sure. The browser processing model defines a list of low-entropy >>> CH headers: >>> https://wicg.github.io/client-hints-infrastructure/#low-entropy-table >>> I could point at that. >>> >>> >>>> --- >>>> >>>> MaQ3: >>>> >>>> >>>> Related to MaQ2, what happens if a server receives hints that it >>>> does not >>>> >>>> understand, or does not support? >>>> >>> >>>> >>> Servers SHOULD ignore hints they do not understand or do not >>>> support. >>>> >> >>>> >> Is there are reason for not using MUST? SHOULD typically means >>>> MUST-unless-X. What would X be? >>>> >> >>>> >> Is there a way for the server to indicate to the client that it did >>>> not understand/support the hints? Whatever the answer, I think it would be >>>> good to have some text about that. >>>> > >>>> > There's no such a mechanism, similar to other request headers. >>>> > Do you have sample text in mind that may make that point clearer? >>>> >>>> Maybe just a note pointing out that there is no mechanism for a server >>>> to inform a client whether it understands and supports the hints. >>>> >>>> --- >>>> >>>> Minor issues: >>>> >>>> MiQ1: >>>> >>>> >>> Section 1 described that proactive content negotiation allows >>>> servers to >>>> >>> silently fingerprint the user agent. >>>> >>> >>>> >>> But, later in the Section it is described that Client Hints also >>>> allow a server >>>> >>> the perform fingerprinting, and the Security Considerations also >>>> say that there >>>> >>> is really no difference. >>>> >>> >>>> >>> So, does Section 1 need to talk about fingerprinting at all? >>>> >> >>>> >> Section 1 describes the fact that traditional (read: pre-Client >>>> Hints) content negotiation methods relied on sending information to all >>>> servers, which enabled passive fingerprinting, >>>> >> and how Client Hints breaks away from that paradigm, by only sending >>>> (high entropy) hints when the server needs them and opts-in to receive them. >>>> >> >>>> >> A server can request the hints even if it doesn't "need" them, but >>>> it wants to do fingerprinting. The client does not know what the server >>>> will do with the information. >>>> >> >>>> >> My point is that the reader should not get an impression that client >>>> hints somehow prevents fingerprinting. It doesn't. The only difference is >>>> that the server has to ask for the information. >>>> > >>>> > Current draft includes " Client Hints mitigate ... privacy concerns >>>> of passive fingerprinting by requiring explicit opt-in and disclosure of >>>> > required headers by the server through the use of the Accept-CH >>>> response header." >>>> > Should that be clearer? >>>> >>>> Yes, I think it is better. >>>> >>>> ------- >>>> >>>> Regards, >>>> >>>> Christer >>>> >>>>
- Re: [Last-Call] Genart last call review of draft-… Christer Holmberg
- Re: Genart last call review of draft-ietf-httpbis… Yoav Weiss
- Re: Genart last call review of draft-ietf-httpbis… Christer Holmberg
- Re: Genart last call review of draft-ietf-httpbis… Yoav Weiss
- Re: Genart last call review of draft-ietf-httpbis… Christer Holmberg
- Re: Genart last call review of draft-ietf-httpbis… Yoav Weiss
- Re: Genart last call review of draft-ietf-httpbis… Yoav Weiss
- Re: Genart last call review of draft-ietf-httpbis… Barry Leiba
- Re: Genart last call review of draft-ietf-httpbis… Christer Holmberg
- Re: Genart last call review of draft-ietf-httpbis… Yoav Weiss