IETF Logo Mail Archive

Re: Benjamin Kaduk's Discuss on draft-ietf-httpbis-semantics-16: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 17 June 2021 02:54 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 093763A158B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 16 Jun 2021 19:54:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.649
X-Spam-Level:
X-Spam-Status: No, score=-7.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X7PgNVCIeY4R for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 16 Jun 2021 19:54:46 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8D0E3A158A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 16 Jun 2021 19:54:45 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1lti7N-0001HQ-Li for ietf-http-wg-dist@listhub.w3.org; Thu, 17 Jun 2021 02:50:59 +0000
Resent-Date: Thu, 17 Jun 2021 02:50:57 +0000
Resent-Message-Id: <E1lti7N-0001HQ-Li@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <kaduk@mit.edu>) id 1lti76-0001Fc-6B for ietf-http-wg@listhub.w3.org; Thu, 17 Jun 2021 02:50:46 +0000
Received: from outgoing-auth-1.mit.edu ([18.9.28.11] helo=outgoing.mit.edu) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <kaduk@mit.edu>) id 1lti72-0006dI-1H for ietf-http-wg@w3.org; Thu, 17 Jun 2021 02:50:39 +0000
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 15H2oDbC029939 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 16 Jun 2021 22:50:18 -0400
Date: Wed, 16 Jun 2021 19:50:13 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Mark Nottingham <mnot@mnot.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-semantics@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
Message-ID: <20210617025013.GT11634@kduck.mit.edu>
References: <162387594905.23641.14127507690244359885@ietfa.amsl.com> <C80881FF-1D38-4BD0-A8B0-7A693C05B341@mnot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <C80881FF-1D38-4BD0-A8B0-7A693C05B341@mnot.net>
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1lti72-0006dI-1H 8b7eced63c9a82c6b7f12f67c2cfc50d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Benjamin Kaduk's Discuss on draft-ietf-httpbis-semantics-16: (with DISCUSS and COMMENT)
Archived-At: <https://www.w3.org/mid/20210617025013.GT11634@kduck.mit.edu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38906
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Mark,

On Thu, Jun 17, 2021 at 11:44:58AM +1000, Mark Nottingham wrote:
> Hi Ben,
> 
> > On 17 Jun 2021, at 6:39 am, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote:
> > 
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> > 
> > Thank you for this quite masterfully done mammoth undertaking!  I expect
> > to ballot Yes pending discussion of one point.
> > 
> > I'm looking at the following text in Section 4.3.4 relating to how to
> > handle certificate validation failures for https:
> > 
> >   If the certificate is not valid for the URI's origin server, a user
> >   agent MUST either notify the user (user agents MAY give the user an
> >   option to continue with the connection in any case) or terminate the
> >   connection with a bad certificate error.  [...]
> > 
> > Given the discussion up in §3.5 about requirements to "notify" the user
> > vs requiring "confirmation" from the user, I don't think that just "MUST
> > notify the user" is sufficient to prevent the user-agent from
> > continuing, since it is sufficient to just write a log entry as the
> > means to notify the user.  Is the intent to require confirmation of the
> > action to continue in the face of such an error (which, again per §3.5
> > could be a pre-configured confirmation)?  An intent to require
> > "confirmation" (vs mere "notification") seems consistent with the
> > subsequent text placing requirements on automated clients and would be
> > more consistent with my understanding of general IETF consensus for
> > securing protocols
> 
> Good catch. I think that 'notify the user' --> 'obtain confirmation from the user' is the right change here (possibly with a reference to 3.5).
> 
> Anyone disagree?

Not I -- that sounds good to me.
The parenthetical might want a bit of reworking (or removal?) as a
follow-up, though.

Thanks,

Ben

v2.23.0 | Report a Bug | By Email