Re: ID for Immutable

Kari Hurtta <hurtta-ietf@elmme-mailer.org> Sat, 29 October 2016 06:49 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA8101295DE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 28 Oct 2016 23:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.332
X-Spam-Level:
X-Spam-Status: No, score=-7.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.431, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YA6Fq8TrCIKL for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 28 Oct 2016 23:49:02 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9ABC41295D8 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 28 Oct 2016 23:49:02 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1c0NNo-0004Tb-Vk for ietf-http-wg-dist@listhub.w3.org; Sat, 29 Oct 2016 06:44:49 +0000
Resent-Date: Sat, 29 Oct 2016 06:44:48 +0000
Resent-Message-Id: <E1c0NNo-0004Tb-Vk@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <khurtta@welho.com>) id 1c0NNj-0004QS-7x for ietf-http-wg@listhub.w3.org; Sat, 29 Oct 2016 06:44:43 +0000
Received: from welho-filter1.welho.com ([83.102.41.23]) by titan.w3.org with esmtp (Exim 4.84_2) (envelope-from <khurtta@welho.com>) id 1c0NNd-00028b-Bb for ietf-http-wg@w3.org; Sat, 29 Oct 2016 06:44:38 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id A1B081106E; Sat, 29 Oct 2016 09:44:09 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id SYlf2FoZZaBe; Sat, 29 Oct 2016 09:44:09 +0300 (EEST)
Received: from hurtta09lk.keh.iki.fi (89-27-35-245.bb.dnainternet.fi [89.27.35.245]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPS id 2BA76C4; Sat, 29 Oct 2016 09:44:09 +0300 (EEST)
In-Reply-To: <CAOdDvNqTabR3zpRgjJVkBPdBVcOboCbG=5b6x+mKauwB1-w=Pw@mail.gmail.com>
References: <CAOdDvNqTabR3zpRgjJVkBPdBVcOboCbG=5b6x+mKauwB1-w=Pw@mail.gmail.com>
To: HTTP working group mailing list <ietf-http-wg@w3.org>, Patrick McManus <pmcmanus@mozilla.com>
Date: Sat, 29 Oct 2016 09:44:09 +0300 (EEST)
Sender: hurtta@hurtta09lk.keh.iki.fi
From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
X-Mailer: ELM [version ME+ 2.5 PLalpha43+]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20161029064409.A1B081106E@welho-filter1.welho.com>
Received-SPF: none client-ip=83.102.41.23; envelope-from=khurtta@welho.com; helo=welho-filter1.welho.com
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: AWL=-0.792, BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.418, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1c0NNd-00028b-Bb 6176f3492b6784b4f8e2303ca80bbd3d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: ID for Immutable
Archived-At: <http://www.w3.org/mid/20161029064409.A1B081106E@welho-filter1.welho.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32721
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> I do believe the lack of integrity protection in plaintext transfer is an
> important security consideration for immutable that suggests they should
> not be used together. I'm open to other wording on it for sure.. https://
> might be sufficient here.


I suspect that corruption (truncation most likely) happens then
between TLS termination (TLS ofloading, for example load balancer)
and web server.

Yes, reloading with conditional request does not help here either.

(And if load balancer caches this then any reloading probably
 does not help here. Specially if request cache-control
 header is ignored. )

/ Kari Hurtta