Re: [Last-Call] Genart last call review of draft-ietf-httpbis-client-hints-13

Christer Holmberg <christer.holmberg@ericsson.com> Fri, 01 May 2020 22:49 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80C873A07DE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 1 May 2020 15:49:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.751
X-Spam-Level:
X-Spam-Status: No, score=-2.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kDf7-gwVK1PC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 1 May 2020 15:49:11 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 610023A174F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 1 May 2020 15:49:11 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jUeQT-0000a5-NX for ietf-http-wg-dist@listhub.w3.org; Fri, 01 May 2020 22:46:34 +0000
Resent-Date: Fri, 01 May 2020 22:46:33 +0000
Resent-Message-Id: <E1jUeQT-0000a5-NX@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <christer.holmberg@ericsson.com>) id 1jUeQR-0000ZJ-Nw for ietf-http-wg@listhub.w3.org; Fri, 01 May 2020 22:46:31 +0000
Received: from mail-eopbgr50040.outbound.protection.outlook.com ([40.107.5.40] helo=EUR03-VE1-obe.outbound.protection.outlook.com) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <christer.holmberg@ericsson.com>) id 1jUeQP-00044k-25 for ietf-http-wg@w3.org; Fri, 01 May 2020 22:46:31 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HILWjayaoO3JbV7jwBWnyqBHYNIAbAQRE635HGYkH2BJEGAQiQEuAzgDlmN903VyfQMW/lhQDrwpYmPLBSxH+EBg/8KF7kunaVRRucT6fXL+InMDivTYFZq17RHlLdaRSrG0HuddzsBVmptbfYVXu3fkQuFWaawpDsnBY1w4qVqIk9qsKPmbNDPInNNdDtAMG/yMfcfEwjZUvQ37HJ+6ez/q/F272wak3gU1ro05EWR3aH0CrRObA4ObZv0OdRvws/WOc+2L2zI9x5Oy5LWfk/h2pRVnSNpk0JXOhn7QPhTeF4CmXDuEHSrvBjI0Dch/oq+AFxgM872Ffb2K/hQxGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zCfBdMJ9zFkAgZNpV0LNT6Cy45VT81AehkaE/HH2Qik=; b=BLYXiWuxlWDQ07AqdW837icwKeva4ukLoPTB7qBB3j6lV1Sz4EfnL1CO9W3s70M4m3MIJfDgh6o2720T7BJksi6oKnDMcxiEc+TbCjrqicUCPJNdstqp3rGXnQqPboaTXOKeRO9UnfXwGSr2InI8TDOW10Hpuo9bwXMIqKZIxwKq3XoR+bAjVkdnv3gihcaKc8zMehbQ9k/jIbgzfWah/AXDSXa66uuyZPsTgaDx+AQM+mZzV/d9OvhyR+HnY/rhPMUnbNEsUjw5yW6redzF4sbf6z9EXvglwZr8tRY4YslOb0ljLi9CkW5g+AFozbExY3IoLDYto4HCi4tvKfAthw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zCfBdMJ9zFkAgZNpV0LNT6Cy45VT81AehkaE/HH2Qik=; b=PZoILky2pJT3w8pGCdAmYtpWaNh2TTgs0pltnxQuzbm5NCI8+A8WDYGIe5vU+nMoVSNTyvr7MAyVgV9O9qGw0oBlEtdmMUizH6sAf76pei1rrxnTIZH1OrnQ0TCAnJ5YWeSgHfMiP9Hxx0RtiS6bDNUGORuFlPXiI55ytfV9XC8=
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com (2603:10a6:20b:1bc::19) by AM7PR07MB6674.eurprd07.prod.outlook.com (2603:10a6:20b:18f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.11; Fri, 1 May 2020 22:46:14 +0000
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::4c:e502:13cf:87a8]) by AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::4c:e502:13cf:87a8%4]) with mapi id 15.20.2979.017; Fri, 1 May 2020 22:46:14 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "gen-art@ietf.org" <gen-art@ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, "draft-ietf-httpbis-client-hints.all@ietf.org" <draft-ietf-httpbis-client-hints.all@ietf.org>
Thread-Topic: [Last-Call] Genart last call review of draft-ietf-httpbis-client-hints-13
Thread-Index: AQHWIAohBKMZWmbB8EieoFkidciOk6iUBtgA
Date: Fri, 1 May 2020 22:46:14 +0000
Message-ID: <9F958A9A-6607-4E32-BAD9-E738949C5F13@ericsson.com>
References: <158837305177.24719.21462684096579298@ietfa.amsl.com>
In-Reply-To: <158837305177.24719.21462684096579298@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [188.127.223.154]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a7ff77dc-e430-4b7b-acbc-08d7ee21744b
x-ms-traffictypediagnostic: AM7PR07MB6674:
x-microsoft-antispam-prvs: <AM7PR07MB66744B1CA865159B1D948B4293AB0@AM7PR07MB6674.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0390DB4BDA
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SDLVdL53BKSX5kQ7jsfejD3aQy9S+wd/Fw2qavI7ar7myPRsnDXyBM+UWaXfOYxnREvfOepG5HfwLJJRN9VX9zhijQQnPUOicZgae/NK6K+O8A6gDdoYp+NshUpElwLqkk9h4SjHIBX6YRMuiIh/93BMePwPV4Y7h0xLCcSyCy15DxjznfiS/nx5tXQGBq5dqW57/ayEOiuKb7NrLxBP8kTWhvJmN/BDw4HWRPT6GM1Tk7dkucMaBLSzYAiOdE3qVCS4BewhrvX5JO2LWlbcGUN6McbtLs85gFTfJ7mGu504Ke9CmRJSaAzrPzG9O36p5Tc5VyiMX3Tk3OboiQ7ve6YHQ2eUI3AMt3j+Mu69y3lsY/GXxYeYE3LJFwbKYxCTOBJ6fvrB+HagNrRljOE4iqOouRj89J/+n2W/g29EwjiBTqqybbuRAPVr4eNDuS8S4iP0sfYn7RVx4LxFqLoQqi4kqvCIiMmCDM96S+9MbN7jMuHb50R/dVVwurgRGAi4qKbYZNK3r95pmmWoAgMeHQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM7PR07MB7012.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(396003)(136003)(366004)(346002)(376002)(39860400002)(6916009)(5660300002)(33656002)(6486002)(54906003)(76116006)(478600001)(6506007)(91956017)(86362001)(36756003)(316002)(66946007)(44832011)(66476007)(66556008)(26005)(8676002)(66446008)(71200400001)(186003)(4326008)(6512007)(2616005)(2906002)(8936002)(64756008)(966005);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata: o1syb2rrAkVrBJyAuDilFNfXK0KDMXaJ94NCn7OO0nyP1lS2j2iIL/il1hosvBDS775tSc7SfZFuaCKKe3MJmxD4GjHowlQfhNvqPuw+NIGdXRy+lEUwGufyELYrJrgjMFB/DLPsOFzx21tjmfFcLHx5qjJ4xpiDm/I6GEj2AmT0KStgkrMu7OMD6FvPaEgH1UXK4UDZGsJy1xUZAvrDFppBn5TAgQwfznAYsXs41J1UO5naTGDGJkNqByFc9i2TwpUEya3Sm9M+VNzi74EHTNEh/hLpSJEfbm9wFlbjDr9pff2HcH0rsLRFwiwFyrmeUIUCbmiQb2qeBi5eqHKfCMRxcNtImofQ9C9Qrjf7HZK2ayZFFEjfYTWYbKLfJ5UqFppkt/aWVxp6kGVtiKORnnqfwHeSedz6wJxIQ/Z/cior8+f/yKfErYszs/CHGtkCVuhlIxjdKwQoqkaOVKZQfTkqtoq5pr4oPm0SrePwm0/+kcIlajdfSv14nUU0rzmeBX2aHGzxkvwT3xa3ht5H4UONcppoYQiDQS5r7lIqAc/hN6+FGz83AzeA93Uw+Lnos2cRMTE7nqfYJYoA34vppeCsPwMwoRpcLGSNzWbILyMwB7zDy8xAr6rpZ26Zsoq3KUX2CFtUJ1FsTwrcolrRWxnhAT69KY6goUgCTpsrW/dphvjGYydE0siAcL3Qh4eVMce4JmIkTge1B0/uJYfBLiFTd+OlNspZu/GXHoiNF8dJLbec9ejnTWU5doVfl9xvoKJFutMqAfAP+7rcvJ4jekDFjQm7R3kSXU2WrcfWfIu1KeQkqKx+2wuX0pqqM6VV
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <7CF8E62718A7854EAC19C82D7B8AA84A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a7ff77dc-e430-4b7b-acbc-08d7ee21744b
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 May 2020 22:46:14.7875 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EmqSNNHP/VlzxcMSL52PuAypguNb9H5XQP+JerU9WLmjiUpP+YdbWNnapkk53Wt6ZfsAo//bKarRQHBXz15FyGebbtspnmmGtgsju8eID1k=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6674
Received-SPF: pass client-ip=40.107.5.40; envelope-from=christer.holmberg@ericsson.com; helo=EUR03-VE1-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-2.7
X-W3C-Hub-Spam-Report: BAYES_05=-0.5, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jUeQP-00044k-25 70069c342b2a234579279d7414dd2c50
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Last-Call] Genart last call review of draft-ietf-httpbis-client-hints-13
Archived-At: <https://www.w3.org/mid/9F958A9A-6607-4E32-BAD9-E738949C5F13@ericsson.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37560
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi,

Seems like I did a copy/paste error. Please skip Q3-Q6, the issues/questions will come later in the review.

Regards,

Christer



On 02/05/2020, 1.44, "last-call on behalf of Christer Holmberg via Datatracker" <last-call-bounces@ietf.org on behalf of noreply@ietf.org> wrote:

    Reviewer: Christer Holmberg
    Review result: Ready with Issues
    
    I am the assigned Gen-ART reviewer for this draft. The General Area
    Review Team (Gen-ART) reviews all IETF documents being processed
    by the IESG for the IETF Chair.  Please treat these comments just
    like any other last call comments.
    
    For more information, please see the FAQ at
    
    <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
    
    Document: draft-ietf-httpbis-client-hints-13
    Reviewer: Christer Holmberg
    Review Date: 2020-05-01
    IETF LC End Date: 2020-05-08
    IESG Telechat date: Not scheduled for a telechat
    
    Summary: The document is easy to read, and I understand the general concept of
    the mechansim. However, I have a number of questions, some related to the
    usage, which I think need to be clarified, and some more editorial.
    
    Q3:
    
    Section 2.1. describes sending of Client Hints, based on Accept-CH, and Section
    3.1. defines the Accept-CH header field.
    
    But, there is no guidance on what a client does BEFORE it receives Accept-CH. I
    assume it does not include support of any features.
    
    Also, there is no guidance on what a client does if it does NOT receive
    Accept-CH (because the server does not support it). Will it then send another
    request and include supported features ? What if it is too late, and the server
    has already made choises?
    
    I think some client behavior guidance would be useful.
    
    ---
    
    Q4:
    
    Related to Q3, there is not server procedure on when Accept-CH is sent to the
    client.
    
    ---
    
    Q5:
    
    Related to Q4, what happens if a server receives hints that it does not
    understand, or does not support?
    
    ---
    
    Q6:
    
    Section 3.1 says:
    
       “It SHOULD be persisted and bound to the origin to enable delivery of Client
       Hints on subsequent requests to the server's origin.”
    
    …and the subsequent text then gives an example.
    
    First, what is the time scope of “subsequent requests”? A session? An hour? A
    day? For how long does the client need to remember the Accept-CH header field
    value for a given origin server?
    
    Second, the procedure does not seem to take into account that certain aspects,
    e.g., network characteristics, may change between when requests are sent to an
    origin server.
    
    -------
    
    Major issues:
    
    MaQ1:
    
    Section 2.1. describes sending of Client Hints, based on Accept-CH, and Section
    3.1. defines the Accept-CH header field.
    
    First, there is no guidance on what a client does BEFORE it receives Accept-CH.
    I assume it does not include support of any features.
    
    Second, there is no guidance on what a client does if it does NOT receive
    Accept-CH (because the server does not support it). Will it then send another
    request and include supported features ? What if it is too late, and the server
    has already made choises?
    
    I think some client behavior guidance would be useful.
    
    ---
    
    MaQ2:
    
    Related to Q3, there is not server procedure on when Accept-CH is sent to the
    client. Also, can an Accept-CH with updated information be sent?
    
    ---
    
    MaQ3:
    
    Related to MaQ2, what happens if a server receives hints that it does not
    understand, or does not support?
    
    ---
    
    MaQ4:
    
    Section 3.1 says:
    
       “It SHOULD be persisted and bound to the origin to enable delivery of Client
       Hints on subsequent requests to the server's origin.”
    
    …and the subsequent text then gives an example.
    
    First, what is the time scope of “subsequent requests”? A session? An hour? A
    day? For how long does the client need to remember the Accept-CH header field
    value for a given origin server?
    
    Second, the procedure does not seem to take into account that certain aspects,
    e.g., network characteristics, may change between when requests are sent to an
    origin server.
    
    --------
    
    Minor issues:
    
    MiQ1:
    
    Section 1 described that proactive content negotiation allows servers to
    silently fingerprint the user agent.
    
    But, later in the Section it is described that Client Hints also allow a server
    the perform fingerprinting, and the Security Considerations also say that there
    is really no difference.
    
    So, does Section 1 need to talk about fingerprinting at all?
    
    ---
    
    MiQ2:
    
    The 4th last paragraph of Section 1 says:
    
       “It also defines guidelines for content negotiation mechanisms that use it,
       colloquially referred to as Client Hints.”
    
    The 2nd last paragraph of Section 1 says:
    
       “This document defines Client Hints, a framework that enables servers
         to opt-in to specific proactive content negotiation features,
         adapting their content accordingly.”
    
    The 2nd last pargraph also talks about “usage of infrastructure”, which I don’t
    really understand. I assume you mean the Client Hints framework?
    
    First, I think the text in the 4th last paragraph should be replaced by the
    text in the 2nd last paragraph.
    
    Second, I think the text introducing the framework should come BEFORE the text
    introducing the Accept-CH header field.
    
    Something like:
    
       "This document defines Client Hints, a framework that enables servers
       to opt-in to specific proactive content negotiation features,
       adapting their content accordingly. This document also defines a new
       response header, Accept-CH, that allows an origin server to explicitly
       ask that clients send these headers in requests.
    
       Client Hints mitigate performance concerns by assuring that clients
       will only send the request headers when they're actually going to be
       used, and privacy concerns of passive fingerprinting by requiring
       explicit opt-in and disclosure of required headers by the server
       through the use of the Accept-CH response header.
    
       The document does not define specific usages of Client Hints. Such usages
       Need to be defined in their respective specifications.
    
       One example of such usage is the User Agent Client Hints [UA-CH]."
    
    -------
    
    Nits/editorial comments:
    
    EdQ1:
    
    The document uses both “client” and “user agent” terminology. Is there a reason
    for that, or could one be picked?
    
    
    
    -- 
    last-call mailing list
    last-call@ietf.org
    https://www.ietf.org/mailman/listinfo/last-call