Re: Artart last call review of draft-ietf-httpbis-compression-dictionary-16

Patrick Meenan <pmeenan@google.com> Sun, 25 August 2024 21:47 UTC

Received: by ietfa.amsl.com (Postfix) id 37A40C151538; Sun, 25 Aug 2024 14:47:40 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35EDFC151532 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 25 Aug 2024 14:47:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.358
X-Spam-Level:
X-Spam-Status: No, score=-10.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="No7d34R7"; dkim=pass (2048-bit key) header.d=w3.org header.b="EVUMSJEv"; dkim=pass (2048-bit key) header.d=google.com header.b="080OhVNZ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_NmyIHmB5rX for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 25 Aug 2024 14:47:36 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D1B0C15106E for <httpbisa-archive-bis2Juki@ietf.org>; Sun, 25 Aug 2024 14:47:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=SGb+s6kScpkvtxeBAs/T7H2zhHDC366ci7IOc2AgKvw=; b=No7d34R72tBWKN/gwcE4LcroKM FLHHuPUUmVHOEgwDgHQB1q+ULIGi89OW7qWTXfzPQ/RJ0APpeEYnnflpyB2BS12Z4OTMX/jN39Dl8 1snEWh5qnTAHdfwIHBkHThJ0yT87WfDvABQf+UfoR3jvwY2BiViCyqUyEaHOAeOt6AZtz5rNB30Ev +IGt1zasUoN6kF+NBAJMaEVQWa+G3QyQnT2grW+NzPO6TF94w6Ko6UKPC319O607vOQpTCMbQJfR3 lrdEWnpz+JA33JCyjoIZmTsDJmXJzzsbgkr6k/t8DLnK1VGHyUJ05bB7XP8qnS6nPXXYSrq7FuisB 45XkxqmA==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1siL4I-00G53Z-2M for ietf-http-wg-dist@listhub.w3.org; Sun, 25 Aug 2024 21:46:38 +0000
Resent-Date: Sun, 25 Aug 2024 21:46:38 +0000
Resent-Message-Id: <E1siL4I-00G53Z-2M@mab.w3.org>
Received: from ip-10-0-0-224.ec2.internal ([10.0.0.224] helo=puck.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <pmeenan@google.com>) id 1siL4G-00G52o-2y for ietf-http-wg@listhub.w3.internal; Sun, 25 Aug 2024 21:46:36 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=SGb+s6kScpkvtxeBAs/T7H2zhHDC366ci7IOc2AgKvw=; t=1724622396; x=1725486396; b=EVUMSJEv6/mn6Ek1VAML7e/QDbZtLMZNAeEX8I5DvjhFneQer2W7qMyn6IWaQSL6bI/R/HmB1b6 PHoKfoh21M9fvFmGpZXyYlHtwctGyfqCiJZJXeP/wHBDDbqu9lDzNNfURWst2TDpQW3PCOLdivHyy 99GldMyq8eLngFIKhE+mD/6DLzb6z7/Cgl5hzv9iMmYgIPpCB/XhQYai6ecUfeau3g/WA6nsq2ArK 1UMA+l6TG+ISuO1gmkqmycNM/72ONCpAURKiSkmLXBLVc0FFmk8Pgy4u0lNq4lQ5M3yxxqHyLeg3u wEP03X2EaOFIXb29SOaHKIuCvwbi6VTTZ3Sw==;
Received-SPF: pass (puck.w3.org: domain of google.com designates 2607:f8b0:4864:20::b2d as permitted sender) client-ip=2607:f8b0:4864:20::b2d; envelope-from=pmeenan@google.com; helo=mail-yb1-xb2d.google.com;
Received: from mail-yb1-xb2d.google.com ([2607:f8b0:4864:20::b2d]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <pmeenan@google.com>) id 1siL4G-00FPJV-01 for ietf-http-wg@w3.org; Sun, 25 Aug 2024 21:46:36 +0000
Received: by mail-yb1-xb2d.google.com with SMTP id 3f1490d57ef6-e1659e9a982so4064238276.1 for <ietf-http-wg@w3.org>; Sun, 25 Aug 2024 14:46:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1724622392; x=1725227192; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SGb+s6kScpkvtxeBAs/T7H2zhHDC366ci7IOc2AgKvw=; b=080OhVNZx81AApRa4RcohqqdQ8YccNiixGY03rNWl/j2g/+D8BwNxr3Yi/5SOY9WRc lNH6fkhAMP2I4JZ4jd/ayCiTdlQKkS7XAgPqsdzq6POp43ngz59kllCnh9BcnUkx99Qh NCxEfSblDhIMoU/ZmqRnSd2opyPESyUOI0uNzwCHssEdTiRTInp+RIqLIFWfdUiRl4Sk jgHAIl++ccqmLzpehiJ/OanDo2xlZnIBO/F1qsMlcS5w1Z3fNypg2i6uIWTmzO+gzAid us9RDc/A6FO4ew5p8qbLT8/RY7MRdWkTXsjk73bkLlDc2qwnARp88pkQPfBsQ4ZYMauI 7gMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724622392; x=1725227192; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SGb+s6kScpkvtxeBAs/T7H2zhHDC366ci7IOc2AgKvw=; b=aSBQNfjUH1M3tZhppQi7AHGE/79aO/Ogzf2p+bMTUZJfso4wPROtomB/BrQ5HjQqaZ J1YY3vW5rrafJmkquZTOF57BVZ5rJimYcNOG29+vX5fuBpZfugUfjgDituYsIbVaV7bF 7ZdUFI3TwYzEuBwRMDga1PG2WNLyxwNXzmCbqxRZkrGgohc8q959GfAdrQpxT+Vu1BXx yXp0T66HTfFIBkrm4zC+S0fOhPr33Vhdg/82ls93vGIZKEtBKmhUSLMiWv9qpywHhUkD zVfgRU+OeORWGHQhofGqH4cWU7YEBbJBcMChk8cCkXh7XBGCEIrMn9ijZNTn3XdTRlaJ HPTg==
X-Forwarded-Encrypted: i=1; AJvYcCXE0O3loezhUaZBmwpU/vRjwViBfMjxiXLpLgUjEkWD/z5P1WBOiLWd7IrnJXwAsUoG6pYlSDRUKBIUXSo=@w3.org
X-Gm-Message-State: AOJu0YwiDcLTCNffxWOennb2oIF7UPyhVe7yOROdvicLfeI3qXwMl3Qo Yd+xQxKoh3cakcR6LbjWn26t8Ktw6Py0I+AEH7mPdPSoMCmQB7l+BeJriWP9IIR29vaexQ8V7Ch 2PPbxafx30L8ZGjmKavwuBeonpcqiEJUl909L
X-Google-Smtp-Source: AGHT+IHzNobMKL/Bykzfjmgljb+dxfWu9FPjouzVgZK4syySloc1rerNt3gkeEx27i79dcHydKrCGrVGUgAvdOJJa7I=
X-Received: by 2002:a05:6902:100f:b0:e0b:d6aa:43e3 with SMTP id 3f1490d57ef6-e17a83ce7dfmr8941133276.17.1724622391780; Sun, 25 Aug 2024 14:46:31 -0700 (PDT)
MIME-Version: 1.0
References: <172461550400.473980.2265812376540454212@dt-datatracker-584cd6c8dd-fvr2f>
In-Reply-To: <172461550400.473980.2265812376540454212@dt-datatracker-584cd6c8dd-fvr2f>
From: Patrick Meenan <pmeenan@google.com>
Date: Sun, 25 Aug 2024 17:46:19 -0400
Message-ID: <CACPgMqWxLX2cD3Dm_4MzrttCJN9=EeGoALk9=9x-OGfPxdXT6Q@mail.gmail.com>
To: Darrel Miller <darrel@tavis.ca>
Cc: art@ietf.org, draft-ietf-httpbis-compression-dictionary.all@ietf.org, ietf-http-wg@w3.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="00000000000009c405062088f1e8"
X-W3C-Hub-DKIM-Status: validation passed: (address=pmeenan@google.com domain=google.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-21.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: puck.w3.org 1siL4G-00FPJV-01 fc4c3d53498b63e4ef9394ade6e80038
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Artart last call review of draft-ietf-httpbis-compression-dictionary-16
Archived-At: <https://www.w3.org/mid/CACPgMqWxLX2cD3Dm_4MzrttCJN9=EeGoALk9=9x-OGfPxdXT6Q@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52238
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Thanks for the review. I'll work up a draft with the suggested edits but
there were a few points that probably need more discussion:

> ### 2.1.1 match
>
> It is concerning that a feature such as this requires taking a dependency
on
> the URL Pattern specification which is a living standard. In the HTTP API
> space, there are many user agents that are not browsers, that will need to
> implement URL Pattern and that specification could change at any time.  It
> would be much preferable if this specification could take a snapshot of
the
> current URL Pattern behavior and define that in this specification.

There was a LOT of bikeshedding on the match pattern. It was originally a
custom algorithm that only allowed for wildcard but between the w3c and
HTTP working groups we came to a consensus that standardizing on URL
Pattern was a better solution, even for non-browser clients. There are
already rust and js-based libraries and the expectation is that we are
going to converge on using it for pattern matching in a lot more cases and
that there will be libraries available for most platforms to make
integration easier.

As far as taking a snapshot, this was discussed during the IESG telechat
but the standard practice for referencing the living standards is to not
reference a snapshot and that the standard maintainers are responsible for
maintaining backward compatibility. The same goes for the references into
the fetch spec.

> ### 2.1.2 match-dest
>
> It is unclear why match-dest would not be a IANA registry of values that
are
> seeded with the values from the Fetch specification. This would allow for
> values to be added to the registry in order to support the same concept in
> different user agents that do not use the Fetch specification.  It seems
> strange to only allow this feature to be used if the Fetch specification
is
> being used to make requests. Is the destination feature not useful to a
broader
> audience?

At some level the set of destinations needs to be maintained in such a way
that even an IANA list would not contradict the list in the Fetch standard
as the Fetch standard evolves. That would involve keeping them in sync in
such a way that additions to either list don't collide with the other.
Fundamentally that would mean that either an IANA registry would need to
reference Fetch and maintain additional destinations or that Fetch would
need to defer to an IANA registry. At some level it is not that different
from the registry of link relation types. I'd be ok with requesting a new
IANA registry if everyone thinks that's the right path but I'm also a bit
worried if the w3c side would agree that deferring registration of fetch
destinations to IANA was appropriate.

To some extent, the CORS processing also requires a fetch-like client (or
for the client to not be sensitive to CORS).

Would it be better if I make the match-dest matching optional on the client
even if it is specified in the response? The intent is for it to be
compatible in that the client will advertise dictionaries but it is up to
the server to decide to use it or not so if the additional filtering
provided by match-dest isn't applied and the client advertises an
inappropriate dictionary, it would just be ignored.

> ### 2.1.4 type
>
> It is not obvious what the value of this property is.  It has only one
value
> "raw", which is the default value which is described as an "unformatted
blob of
> bytes". It is stated that if a client receives a dictionary of a type
that it
> does not understand, it must not use the dictionary. But type has only one
> value. How can any other value be returned and be compliant with this
> specification? There is no described mechanism of how other values for
type
> could be introduced.
>
> Said another way, what is lost if we drop this section 2.1.4 completely?

"type" is there for future-looking backward compatibility. For example,
Brotli and ZStandard both have encoding-specific dictionary formats that
provide some more capabilities. If, at some point in the future, a spec
decides to use the same dictionary negotiation for one of those types,
using an unknown "type" would allow existing clients to ignore the formats
that they do not understand. Otherwise, any future specs would have to use
a new set of headers entirely (which is an option but would be duplicating
a lot). Since the same response would never be two different types of
dictionary, having an optional value that allows for forward/backward
compatibility felt like a low bar.

> #### 2.2.2 step 7
>
> The instructions suggest to run the "test" method.  Looking at the URL
Pattern
> specification it is not immediately clear what the behaviour of the "test"
> method is. There is a test method defined in some IDL, but it does not
> reference any defined behaviour.  Looking at the section "High Level
> Operations" it might be reasonable to assume that the "test" method
implements
> the "match" operation.  It would be helpful to clarify this in the
> specification.

The PATTERN in the algorithm is explicitly an instance of the URLPattern
class which has the "test" method and operation defined:
https://urlpattern.spec.whatwg.org/#dom-urlpattern-test

Should I be referencing it in another way to be clear that that is the IDL
that it is referencing and that the method steps are in the URLPattern spec
(or for clarity of reading, just a bit more text to "run the 'test' method
which executes the URL matching algorithm"?

Thanks,

-Pat

On Sun, Aug 25, 2024 at 3:51 PM Darrel Miller via Datatracker <
noreply@ietf.org> wrote:

> Reviewer: Darrel Miller
> Review result: Almost Ready
>
> I am the assigned Art-ART reviewer for this draft. The General Area
> Review Team (Art-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
>
> In general this document is well written and its value is clear from the
> use
> cases provided. I think capability has the potential to have a significant
> impact on the HTTP API ecosystems as well as browser user agents.
>
> I do not see any major issues with the document as written, but there are
> some
> areas that I think could be improved to address a broader audience.
>
> ## 1.  Introduction
>
> It states that the document registers media types for content encoding
> Brotli
> and Zstandard, however there are no media type registrations in the
> document.
> There are however registrations for content encoding values.
>
> ### 1.1.2 Common Content
>
> The example suggests that the first request returns app.v1.js which is
> from the
> previous example.
>
> ### 2.1.1 match
>
> It is concerning that a feature such as this requires taking a dependency
> on
> the URL Pattern specification which is a living standard. In the HTTP API
> space, there are many user agents that are not browsers, that will need to
> implement URL Pattern and that specification could change at any time.  It
> would be much preferable if this specification could take a snapshot of the
> current URL Pattern behavior and define that in this specification.
>
> ### 2.1.2 match-dest
>
> It is unclear why match-dest would not be a IANA registry of values that
> are
> seeded with the values from the Fetch specification. This would allow for
> values to be added to the registry in order to support the same concept in
> different user agents that do not use the Fetch specification.  It seems
> strange to only allow this feature to be used if the Fetch specification is
> being used to make requests. Is the destination feature not useful to a
> broader
> audience?
>
> ### 2.1.4 type
>
> It is not obvious what the value of this property is.  It has only one
> value
> "raw", which is the default value which is described as an "unformatted
> blob of
> bytes". It is stated that if a client receives a dictionary of a type that
> it
> does not understand, it must not use the dictionary. But type has only one
> value. How can any other value be returned and be compliant with this
> specification? There is no described mechanism of how other values for type
> could be introduced.
>
> Said another way, what is lost if we drop this section 2.1.4 completely?
>
> #### 2.1.5.2 versioned directories
>
> The use of the term directory here seems to be making some assumptions
> about
> the implementation. Would the more generic term "segment" be more
> appropriate?
>
> ### 2.2.2 Dictionary URL matching
>
> The first paragraph infers that both "match" and "match-dest" strings are
> stored with the dictionary. However, "match-dest" is indicated as optional
> in
> the Use-As-Dictionary header.  Is it required that the client maintain the
> match-dest as an empty array of strings if not provided by the server?
>
> Is the provided algorithm normative?  The reason I ask is because the
> paragraph
>
> > Dictionaries MUST have been served from the same Origin (Section 4.3.1 of
> [HTTP]) as the outgoing request to match.
>
> and the following steps seem duplicative.
>
> > Let BASEURL be the URL of the dictionary request.
> > Let URL represent the URL of the outbound request being checked.
> > If the Origin of BASEURL and the Origin of URL are not the same, return
> FALSE.
>
> Is it sufficient to read the prose to understand all the constraints, or
> is it
> necessary to read the algorithm as well?
>
> #### 2.2.2 step 7
>
> The instructions suggest to run the "test" method.  Looking at the URL
> Pattern
> specification it is not immediately clear what the behaviour of the "test"
> method is. There is a test method defined in some IDL, but it does not
> reference any defined behaviour.  Looking at the section "High Level
> Operations" it might be reasonable to assume that the "test" method
> implements
> the "match" operation.  It would be helpful to clarify this in the
> specification.
>
> ## 6
>
> > When a compression dictionary is available for use for a given request,
>
> The wording here suggests that a compression dictionary may be usable for
> compressing a request payload. It is my understanding that is not the
> case.
> Perhaps the wording could be changed to "When a compression dictionary is
> available for use compressing the response to a given request,"?
>
> Thanks,
>
> Darrel
>
>
>