IETF Logo Mail Archive

RE: SNI Extension for Alt-Svc

Mike Bishop <mbishop@evequefou.be> Fri, 01 December 2017 18:14 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70256127876 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 1 Dec 2017 10:14:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.889
X-Spam-Level:
X-Spam-Status: No, score=-6.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hH_wR9son-Um for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 1 Dec 2017 10:14:01 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6375312762F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 1 Dec 2017 10:14:01 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1eKpgt-0007Iu-MZ for ietf-http-wg-dist@listhub.w3.org; Fri, 01 Dec 2017 18:05:35 +0000
Resent-Date: Fri, 01 Dec 2017 18:05:35 +0000
Resent-Message-Id: <E1eKpgt-0007Iu-MZ@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <mbishop@evequefou.be>) id 1eKpga-0007HU-NT for ietf-http-wg@listhub.w3.org; Fri, 01 Dec 2017 18:05:16 +0000
Received: from mail-co1nam03on0132.outbound.protection.outlook.com ([104.47.40.132] helo=NAM03-CO1-obe.outbound.protection.outlook.com) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from <mbishop@evequefou.be>) id 1eKpgQ-0005dl-8g for ietf-http-wg@w3.org; Fri, 01 Dec 2017 18:05:16 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector1-evequefou-be; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1WF73JDwKHbXEf+hFT28e/hCzs9HYeZ5N5Af9o+KSIo=; b=PvxokV/MahoDDGPSltJeK3778QH1uzpt6ms+pIlJH+gMRQ+mOF1FqEm3WI5zpdcgZby9laFHfungarjl+d1GAy0pud7GXIGhVge62+KPqVSYiTtugBhi+D+/hdJLX+w1qc7Vq23AaJRC6NZKrvq8T6118vzCnQ5GCslQXRJbwVM=
Received: from MWHPR08MB2432.namprd08.prod.outlook.com (10.169.203.136) by MWHPR08MB2429.namprd08.prod.outlook.com (10.169.203.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.282.5; Fri, 1 Dec 2017 18:04:37 +0000
Received: from MWHPR08MB2432.namprd08.prod.outlook.com ([10.169.203.136]) by MWHPR08MB2432.namprd08.prod.outlook.com ([10.169.203.136]) with mapi id 15.20.0282.007; Fri, 1 Dec 2017 18:04:37 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Lucas Pardue <Lucas.Pardue@bbc.co.uk>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
Thread-Topic: SNI Extension for Alt-Svc
Thread-Index: AdNqA3gwKumJHfvEQQWiuzGoNk95hwAmMw2gAAxYAQA=
Date: Fri, 01 Dec 2017 18:04:36 +0000
Message-ID: <MWHPR08MB24323BD99104FB0EA7F0B75ADA390@MWHPR08MB2432.namprd08.prod.outlook.com>
References: <MWHPR08MB243210349ABEB2B0E48123E0DA380@MWHPR08MB2432.namprd08.prod.outlook.com> <7CF7F94CB496BF4FAB1676F375F9666A3BAA07FE@bgb01xud1012>
In-Reply-To: <7CF7F94CB496BF4FAB1676F375F9666A3BAA07FE@bgb01xud1012>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbishop@evequefou.be; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-12-01T18:04:34.9701273Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [2601:600:8080:5a28:10f6:e27b:7291:866c]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR08MB2429; 6:pIb4G4ZStlPmlfzoxRvHyVvgUqwJOnwmUwOxqzeCEIAc3rJPjEKhj+jFHtmmreJXOq+eVVPI1eHdwQ7TYW2Ty+qrJsoS27puHCzFqyP5UglozWbJ8NufZoj6HmjR0dAZpaw+prmPmRr+fqI9znbQybYX1FgWAPdZixYNBLO2XCRx2JPw/HwVig/MyFfnC5a45UsTvbyBYFb7r4wS64FBb65FGp+iJ0HtzoEzoos58q0XaFIT/gAn1gtlR6msoPFqCHUVan/GBhJdhBza1LXRpTuMzpv/ddlPCTa8x3gz7Z/gZOpnJ2NQcGMyhp1HhwLWqokW0r0QZ8rSB7bYdjHuByxTM0cgCg2A/8+t/Wy6Rw0=; 5:TF2KYEkTp9/4Gz0wGdACk+TcNzmPnnzU7GkMChvJ7OHJ/b5pusuK1WIii/MLWwMaVhVrkE7GVZlqUXlpfV2OYiS2/hGtL0wwmiBidmYCJM3aWTm3i4aXpoxiGv55NMaZIN/ErvHda2Xit0cERCWjLxaDf1vKVzeCVyP4bFUMGIw=; 24:RIeY+V2ioYFy9bV/OeG+cj9Nza0OtTrzWbm9jXvR4vscsb5IXrw78VFUFgSPTaHM9EGCgqt1OAoz3Fl9ymrY91ub72u7hF7Q64cm0GpNyeg=; 7:TBzYlF3GhPvaCMawQetqV9MYOUBGqk+NF947NoKPJ3BAlY1mEwHSljv/cjnLqtoIKlZvSK16dAVYC9AowrxidxZOrW/j5zV2SHRPUQ3NFsoCYbCcYAk6eaC27lAFh8P0N9HazpAt1uZXhIaCdjG44OZZQ6ArXUKrYMZSXLtoWqe70sooX4tMJ7hcATPNQTJXlVdEdQnkDKY3lzwuumvScpnXQQuW2H493REB6SkN7tlBgJsAx2LavNQLZUHgg59B
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 32e8d476-0ce9-41c1-d9ae-08d538e5fc25
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4603075)(4627115)(201702281549075)(5600026)(4604075)(2017052603286); SRVR:MWHPR08MB2429;
x-ms-traffictypediagnostic: MWHPR08MB2429:
x-microsoft-antispam-prvs: <MWHPR08MB2429C9F7B33E162EE352A42BDA390@MWHPR08MB2429.namprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(150554046322364)(227612066756510)(127952516941037)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231022)(6041248)(2016111802025)(20161123560025)(20161123558100)(20161123562025)(20161123555025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6043046)(6072148)(201708071742011); SRVR:MWHPR08MB2429; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:MWHPR08MB2429;
x-forefront-prvs: 05087F0C24
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(366004)(346002)(39830400002)(199003)(189002)(13464003)(7736002)(6116002)(102836003)(74482002)(2900100001)(53546010)(790700001)(53936002)(25786009)(606006)(6246003)(74316002)(7696005)(6916009)(5660300001)(2950100002)(99286004)(316002)(6506006)(966005)(478600001)(77096006)(68736007)(54896002)(6306002)(97736004)(229853002)(105586002)(4326008)(55016002)(33656002)(6436002)(9686003)(2906002)(54906003)(3660700001)(106356001)(86362001)(189998001)(236005)(81166006)(81156014)(8676002)(101416001)(14454004)(54356011)(8936002)(3280700002)(76176011); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR08MB2429; H:MWHPR08MB2432.namprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR08MB24323BD99104FB0EA7F0B75ADA390MWHPR08MB2432namp_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: 32e8d476-0ce9-41c1-d9ae-08d538e5fc25
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2017 18:04:37.0079 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR08MB2429
Received-SPF: pass client-ip=104.47.40.132; envelope-from=mbishop@evequefou.be; helo=NAM03-CO1-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1eKpgQ-0005dl-8g ebe309744684ea22f6315fa5337d00c6
X-Original-To: ietf-http-wg@w3.org
Subject: RE: SNI Extension for Alt-Svc
Archived-At: <https://www.w3.org/mid/MWHPR08MB24323BD99104FB0EA7F0B75ADA390@MWHPR08MB2432.namprd08.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/34906
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

The two pieces are inter-related.  The parameter recommends using a different SNI, which therefore isn’t guaranteed to get you the certificate you actually need to verify.  As Ilari pointed out, it might still be the right certificate – but if it’s not, you need a channel to retrieve the correct one post-handshake.  You’re correct that we’d need to define Secondary Certs for HTTP/QUIC before an “hq” alternative would be able to do the second part.

From: Lucas Pardue [mailto:Lucas.Pardue@bbc.co.uk]
Sent: Friday, December 1, 2017 6:28 AM
To: Mike Bishop <mbishop@evequefou.be>
Cc: Mark Nottingham <mnot@mnot.net>; HTTP Working Group <ietf-http-wg@w3.org>; Patrick McManus <mcmanus@ducksong.com>
Subject: RE: SNI Extension for Alt-Svc

Apologies for dropping you in it ;)

I do see where you’re coming from about frames. I’m not sure I 100% agree for the reasons outlined below. Perhaps a notational convention qualifying what Frame means would be enough (the one in RFC7540 is almost generic). I think there is some subtlety with frames that operate in a context of request/response, and those that operate in the context of connection.  The latter were defined in HTTP/2 as a replacement for Connection-specific header fields.

The way I read SNI Alt-Svc handling is two parts. Part 1 says a client should include SNI in the TLS handshake, part 2 seems to rely the Secondary Certificate Authentication in HTTP/2 I-D;  a Client SHOULD send a CERTIFICATE_REQUEST, and settings should be valid. Should a client that processes the sni parameter support both parts, or may it do either individually?

I’d argue that part 2 is currently restricted to a HTTP mapping that is capable of carrying Connection-level frames and settings. Alt-Svc adverts for “http/1.1” probably couldn’t do part 2. “quic” and “hq” could not support part 2 until someone defines an equivalent frame and setting in that mapping.

Lucas

From: Mike Bishop [mailto:mbishop@evequefou.be]
Sent: 30 November 2017 17:57
To: Lucas Pardue <Lucas.Pardue@bbc.co.uk<mailto:Lucas.Pardue@bbc.co.uk>>
Cc: Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>>; HTTP Working Group <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>; Patrick McManus <mcmanus@ducksong.com<mailto:mcmanus@ducksong.com>>
Subject: SNI Extension for Alt-Svc


I was already planning to spin up a thread on that draft today, so thanks for deciding what I'm doing next today!  😉  Forking a separate thread.



WG, https://tools.ietf.org/html/draft-bishop-httpbis-sni-altsvc-00 proposes a new parameter for Alt-Svc suggesting that a client use a different (presumably generic) hostname in the TLS SNI extension, and instead gain Alt-Svc "reasonable assurances" by requesting the origin's certificate via Secondary Certificates (which is currently under Call for Adoption).  It gives a solution, albeit HTTP-specific, to SNI privacy by providing a discoverability path for which generic hostname can be used to reach a more sensitive origin under encryption.



As to the frame reference, I intentionally didn't reference which protocol, in part because Alt-Svc itself says it can be carried by various mechanisms and the definition of an Alt-Svc extension doesn't need to get into that layer.  The Alt-Svc frame for HTTP/QUIC is specified by https://tools.ietf.org/html/draft-bishop-httpbis-altsvc-quic-00.  While frames are present in both HTTP/2 and HTTP/QUIC, I don't think that makes frames a generic HTTP concept -- it's a property of certain mappings, and specified individually in each of them.



-----Original Message-----
From: Lucas Pardue [mailto:Lucas.Pardue@bbc.co.uk]
Sent: Thursday, November 30, 2017 2:13 AM
To: Mike Bishop <mbishop@evequefou.be<mailto:mbishop@evequefou.be>>; ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>
Cc: Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>>; HTTP Working Group <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>; Patrick McManus <mcmanus@ducksong.com<mailto:mcmanus@ducksong.com>>
Subject: RE: DRAFT: more details for HTTPtre



Hi Mike,



The connection coalescing case is interesting as it's not currently described in HTTP/QUIC. Presumably by oversight or time constraint rather than intent. (We've got a ticket open tracking that one.)



Changing track, I've just seen your SNI I-D

https://tools.ietf.org/html/draft-bishop-httpbis-sni-altsvc-00



References to Frames don't state a specific mapping (HTTP/2 or HTTP/QUIC). Reading between the lines this seems intentional, which got me thinking that also Frames could be described as a new HTTP semantic for binary-capable wire formats.



Lucas

v2.23.0 | Report a Bug | By Email