Adam Roach's Discuss on draft-ietf-httpbis-expect-ct-07: (with DISCUSS and COMMENT)
Adam Roach <adam@nostrum.com> Thu, 13 September 2018 06:57 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FE8B13100D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 12 Sep 2018 23:57:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.65
X-Spam-Level:
X-Spam-Status: No, score=-2.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0_bREVtgN1vr for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 12 Sep 2018 23:57:41 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C57113101C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 12 Sep 2018 23:57:41 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1g0LX7-0000Lu-9g for ietf-http-wg-dist@listhub.w3.org; Thu, 13 Sep 2018 06:55:21 +0000
Resent-Date: Thu, 13 Sep 2018 06:55:21 +0000
Resent-Message-Id: <E1g0LX7-0000Lu-9g@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <adam@nostrum.com>) id 1g0LX2-0000LH-Ep for ietf-http-wg@listhub.w3.org; Thu, 13 Sep 2018 06:55:16 +0000
Received: from mail.ietf.org ([2001:1900:3001:11::2c]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <adam@nostrum.com>) id 1g0LX0-0006I2-Kc for ietf-http-wg@w3.org; Thu, 13 Sep 2018 06:55:15 +0000
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E9AD712D7F8; Wed, 12 Sep 2018 23:54:52 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Adam Roach <adam@nostrum.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-httpbis-expect-ct@ietf.org, Mark Nottingham <mnot@mnot.net>, httpbis-chairs@ietf.org, mnot@mnot.net, ietf-http-wg@w3.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.83.1
Auto-Submitted: auto-generated
Message-ID: <153682169290.9530.10396840495307914328.idtracker@ietfa.amsl.com>
Date: Wed, 12 Sep 2018 23:54:52 -0700
X-W3C-Hub-Spam-Status: No, score=-9.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_SPF_PERMERROR=0.01, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1g0LX0-0006I2-Kc 0d5d99dc3935e9dd081588e885e609a8
X-Original-To: ietf-http-wg@w3.org
Subject: Adam Roach's Discuss on draft-ietf-httpbis-expect-ct-07: (with DISCUSS and COMMENT)
Archived-At: <https://www.w3.org/mid/153682169290.9530.10396840495307914328.idtracker@ietfa.amsl.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/35910
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Adam Roach has entered the following ballot position for draft-ietf-httpbis-expect-ct-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-httpbis-expect-ct/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks for the work done on defining this mechanism! I think it's quite useful, and I plan to ballot "Yes" as soon as the minor but important issue below is fixed. §6.1: > Status: standard My reading of RFC 3864 does not allow Experimental RFCs to register HTTP header fields as "Status: Standard." ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I also have a number of non-blocking comments that range from editorial to substantial-but-not-critical. They appear below in document order. --------------------------------------------------------------------------- ID Nits reports: -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Given that this document doesn't seem to be tied to any specific version of TLS, I suspect this should be updated. --------------------------------------------------------------------------- §1.1: This document makes use of non-captialized versions of terms like "should." Please consider using the RFC 8174 boilerplate. --------------------------------------------------------------------------- §2.1: > Expect-CT = #expect-ct-directive > expect-ct-directive = directive-name [ "=" directive-value ] > directive-name = token > directive-value = token / quoted-string I note that there is no registry for directive names in the IANA section, so presumably there is a small, closed set of directives allowed here. Typically, when this is the case, the ABNF includes the permissible values; e.g.: directive-name = "report-uri" / "enforce" / "max-age" ...although I also note that list item (5) under the ABNF implies that the intention here is to be extensible. If such is the case, I would suggest adding an IANA registry that records Expect-CT directives, and specifying the ABNF as: directive-name = "report-uri" / "enforce" / "max-age" / token NOTE that not specifying a registry in this document is practically identical to specifying a registry with a policy of "RFC Required," as adding new values will require a new RFC that updates this one. That's an exceptionally restrictive policy, and I would hope that the working group would make such a decision with intention rather than letting it happen through inaction. --------------------------------------------------------------------------- §2.1.3: > The "max-age" directive is REQUIRED to be present within an "Expect- > CT" header field. This doesn't appear to be true as stated; or, at least, it is stated in a somewhat confusing way. A casual reading of this requirement is that an "Expect-CT" header field is noncompliant if it is missing this directive. Based on the examples given, the actual requirement here is that a response that contains an Expect-CT header field MUST contain an Expect-CT header field with a max-age directive, although that directive does not necessarily need to appear in each Expect-CT header field. This should probably be clarified. --------------------------------------------------------------------------- §3.1: These reports indicate hostname and port, but omit scheme. RFC 6454 defines origin (which is what you're really getting at here) as scheme/host/port. Clearly, it doesn't make sense to report on http, so I presume that the thought process here is that "https" is the only scheme in play. The worry I have is that the current design is not particularly future-proof. For example, it would take only a modest adaptation for this mechanism to work with "coaps" URIs, except that the collecting server wouldn't be able to distinguish between "coaps" and "https" resources on the same device. Note that port number isn't necessarily a valid distinguisher here, as both HTTP and COAP use ALPN, and could conceivably run on the same port as a consequence. It seems that it would be easy to add "scheme" as an optional field at this point in time, to head off potential confusion in the future. --------------------------------------------------------------------------- §3.3: > Upon receiving an Expect-CT violation report, the report server MUST > respond with a 2xx (Successful) status code if it can parse the > request body as valid JSON and recognizes the hostname in the > "hostname" field of the report. It seems to me that "port" should be treated the same as "hostname" here -- that is, if the host:port combination (or scheme:host:port, if you make changes based on my preceding comment) isn't expected, then the result should be a 4xx. > If the report body cannot be parsed > or the report server does not expect to receive reports for the > hostname in the "hostname" field, the report server MUST respond with > a 4xx (Client Error) status code. Which one? --------------------------------------------------------------------------- §5: > Implementations must store state about Known Expect-CT Hosts, and > hence which domains the UA has contacted. The "must" here (even if non-normative) seems to overstep a boundary. For example, when in Incognito/Private Browsing mode, browsers will take special pains not to persistently store any information related to the domains visited. It should probably be noted that persistent caching of this information is subject to local policy (either here or elsewhere), and the "must" in this sentence should be softened or qualified.
- Adam Roach's Discuss on draft-ietf-httpbis-expect… Adam Roach
- Re: Adam Roach's Discuss on draft-ietf-httpbis-ex… Julian Reschke
- Re: Adam Roach's Discuss on draft-ietf-httpbis-ex… Adam Roach
- Re: Adam Roach's Discuss on draft-ietf-httpbis-ex… Patrick McManus
- Re: Adam Roach's Discuss on draft-ietf-httpbis-ex… Alexey Melnikov
- Re: Adam Roach's Discuss on draft-ietf-httpbis-ex… Julian Reschke
- Re: Adam Roach's Discuss on draft-ietf-httpbis-ex… Emily Stark
- Re: Adam Roach's Discuss on draft-ietf-httpbis-ex… Adam Roach