Re: I-D Action: draft-ietf-httpbis-client-hints-03.txt

Nick Doty <> Tue, 07 February 2017 00:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E11531293E4 for <>; Mon, 6 Feb 2017 16:45:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.421
X-Spam-Status: No, score=-6.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Tu-yY5OdDpeT for <>; Mon, 6 Feb 2017 16:45:24 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 60AB8126D73 for <>; Mon, 6 Feb 2017 16:45:24 -0800 (PST)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1catsK-0003nf-7Q for; Tue, 07 Feb 2017 00:43:16 +0000
Resent-Date: Tue, 07 Feb 2017 00:43:16 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1catsD-0003ld-0P for; Tue, 07 Feb 2017 00:43:09 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <>) id 1cats6-0002uT-5T for; Tue, 07 Feb 2017 00:43:03 +0000
Received: by with SMTP id 194so32947655pgd.2 for <>; Mon, 06 Feb 2017 16:42:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=dr9YhRrFdqJm8xMq+bI70V+c8IXCIaQekTWSlAg9/N8=; b=DrOecoP9UhJPnJgpv6uh0fptSAQPwyQv9GGhHrD2ZAw6ixoZdB3pIwUTrkRnK1tNML 1gVVHWVea0+u84OqUd+pbXzpeJeQaFzHvJDkxYtHde75VcVmPWL1v/RXNZJv1cV1zBZz 2Lm/dEOlcEJWq0hQ/1cFuS96aBlCxkW1t7jzkdMp2+x0GRmbi4nwxXE7CnMDUOQELJHA apP7jKEUk12FcbuSE2i96PAsazVg64y928l/z5ajaBS2zF272n/sz/vN18HyVpoEMFUy vxQGYpcVJc9q+KPSOjynEnpq81cAhioNEcrpImaV+KXC0H4zo5upDJ0jPKb97RQdOdeT VC0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=dr9YhRrFdqJm8xMq+bI70V+c8IXCIaQekTWSlAg9/N8=; b=V7Zy2ihBLFi33Lw91sk53F6dCywavgVLJhUm4+wg5UwxieLjBrYHao1k9puHnB6uU5 OdUVl/vzr4wBxchFBRCUKw6EMc7XHDqJ9gsJQj+SLAY5ZZ0N3L22eN2zo1GA4oCcfJQI AJVZzotFl2dJ4QWJposls1va9ZeMeJoEOS6pBUo0S0qmUAn41GBLp4ZTQNSwLeTRy1d3 OMOd1lvLNis5+QIHMH3Oyz+wOKftbJ3wrRhLgae0E0cvzpTy+qke7UAADlCqMoVPDrpU G8wQmFcG9eQiGXA2fu5v8XqF9gqqE78lPYRjIeGhIxyurn02aN1hQfp+lTr3Mn4TVyiq tfPw==
X-Gm-Message-State: AIkVDXKZxWpQFtfTesw/kMZNAgHjSZ1NQh71oCs+CsK/3Kw24scmahTRQjsR1ZhtOpgWkw/Y
X-Received: by with SMTP id b21mr16754669pgg.166.1486428155379; Mon, 06 Feb 2017 16:42:35 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id p15sm5413992pfk.58.2017. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 06 Feb 2017 16:42:34 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_BEF255A7-C933-4CD7-BED1-FC83A579A15E"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Nick Doty <>
In-Reply-To: <>
Date: Mon, 06 Feb 2017 16:42:33 -0800
Cc: Ilya Grigorik <>, HTTP working group mailing list <>, "public-privacy (W3C mailing list)" <>
Message-Id: <>
References: <> <15ba01d24d4b$bbd65ec0$33831c40$> <> <> <> <> <>
To: Mark Nottingham <>
X-Mailer: Apple Mail (2.3124)
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-2.0
X-W3C-Hub-Spam-Report: AWL=3.444, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1cats6-0002uT-5T d344dea736a06aef9746d38ed1788197
Subject: Re: I-D Action: draft-ietf-httpbis-client-hints-03.txt
Archived-At: <>
X-Mailing-List: <> archive/latest/33452
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On Feb 2, 2017, at 5:27 PM, Mark Nottingham <> wrote:
> On 3 Feb 2017, at 10:30 am, Nick Doty <> wrote:
>>>>> Mitigations could include, as Mike suggests, asking users to opt in, although explaining the details to users may be difficult.
>>>> That's already discussed in Security Considerations, although we could certainly expand it. Would you mind making text suggestions?
>>> Nick?
>> A draft of text that could be added to the mechanisms/mitigations paragraph:
>>> Implementers may
> might? Otherwise people could read it as MAY.

Sure. I like "might" for that, but whatever is your group's preferred way to indicate conditionality without RFC2119 status is fine by me.

>> provide user choice mechanisms so that users may balance privacy concerns with bandwidth limitations. Implementations specific to certain use cases or threat models might avoid transmitting these headers altogether, or limit them to authenticated sessions.
> s/authenticated sessions/secure contexts/ (or whatever the current terminology is)?

I actually meant that the UA might want to distinguish between when they know a user is logged-in or otherwise already identified to a site, rather than over a secure HTTPS channel.

>> Implementers should be aware that explaining the privacy implications of passive fingerprinting or network information disclosure may be challenging.
> How is this actionable?

I meant this as a warning or limitation on the use of user choice as a mitigation. Given this challenge, implementations ought to rely on other mitigations unless informed user choice really seems plausible for their population.

>>>>> The first sentence of the Security Considerations section appears to be false.
>>>>>> Client Hints defined in this specification do not expose new
>>>>>> information about the user's environment beyond what is already
>>>>>> available to, and can be communicated by, the application at runtime
>>>>>> via JavaScript and CSS.
>> Presumably this could be addressed in re-writing the Security Considerations section. A potential start to that section:
>> Client Hints defined in this specification may expose information about user's devices or network connections and include information in HTTP headers that may previously have been accessible through client-side scripting. Implementers should be aware of implications for new information disclosure, information disclosure to different parties and for the increased capacity for passive fingerprinting.
> +1