Re: AD review of draft-ietf-httpbis-alt-svc-10

Barry Leiba <barryleiba@computer.org> Sat, 16 January 2016 04:29 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4A971B3743 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Jan 2016 20:29:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.28
X-Spam-Level:
X-Spam-Status: No, score=-6.28 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vE418GwESrx7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Jan 2016 20:29:43 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB96D1B3742 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 Jan 2016 20:29:42 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aKIRc-0001TM-VC for ietf-http-wg-dist@listhub.w3.org; Sat, 16 Jan 2016 04:26:32 +0000
Resent-Date: Sat, 16 Jan 2016 04:26:32 +0000
Resent-Message-Id: <E1aKIRc-0001TM-VC@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <barryleiba@gmail.com>) id 1aKIRV-0001Se-Rw for ietf-http-wg@listhub.w3.org; Sat, 16 Jan 2016 04:26:25 +0000
Received: from mail-ig0-f182.google.com ([209.85.213.182]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <barryleiba@gmail.com>) id 1aKIRT-0002Ak-8k for ietf-http-wg@w3.org; Sat, 16 Jan 2016 04:26:25 +0000
Received: by mail-ig0-f182.google.com with SMTP id ik10so25992338igb.1 for <ietf-http-wg@w3.org>; Fri, 15 Jan 2016 20:26:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=mfwfy4nsSlBcxqO2H60g9GGAEFwOPgnvQROXSISIbks=; b=KoG52DrRbkhziMgV3mI9FBUxnYsVLIZDjOZTlGi87NTvDc6d5rPbRtCW+ITPZRXYvq eTwJr6YcG+epq295Lm2/XZDXx7ar860+g3s5agEwicn+vaWxrgyedtCswRQBEhv2syDw j27ElHQdTeJ8JOGs5lmEXo7gAkzXvt6r5zJziqBau8Enrb/XcYrofWRsU/7hAPGmKVXG 9dhM48L7BIiSl/zfEHvGJjksfM5XBGE4Jmd+gedArJmRM0QfAKHQGtcsuZkmN8PhBscz ZzgMoLPR5iHI7XMwAGrn0HBmzd9xUB9SOOJAzeaGvgX6wU0bdb2nuqRCdyvbUEc5U2N1 CXpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=mfwfy4nsSlBcxqO2H60g9GGAEFwOPgnvQROXSISIbks=; b=GI+LSo/kw1gCrkO2zh70ZL42+83EvjCx1FwOfOdScURSwEvOXs1KQqM6ExirYv2BaU IoVL4XQ+5KKi39BaTzfCV3LdELZgbKBvWGF0rS/iQkjmbQoVgZOwP0LekKIpMb2BXl0+ AW4svax7eqSBMnh0WR8Lya02WRLWSTvIUJHSNjaSjygDUx0KFriQYrZG0eu1Uv1UBEZn 0gjsBlhge6UOrCuD6EGsjD2+4RMG/IJ6pCxeS1uV/0x1kWAatW8/5S5uQ546jN4zS8o2 HkwSn5Zy5qNDJRdJiptDMeXY+GVVKVUL7tJxOejKSVrXTSfq76sjhhnyheRANRGrmGLa Fc7Q==
X-Gm-Message-State: AG10YOSQUTzhLfR/mv7pYVaiwgSNKiWvWbqabSia6qK+0unnrzZ2f4TrIyLbTicejbiPoEN+kASdaFz86X04EQ==
MIME-Version: 1.0
X-Received: by 10.50.138.5 with SMTP id qm5mr2008065igb.53.1452918357388; Fri, 15 Jan 2016 20:25:57 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.36.117.83 with HTTP; Fri, 15 Jan 2016 20:25:57 -0800 (PST)
In-Reply-To: <CAOdDvNohfsS7Zw6wk3q3YAQn9SYNjVarN4Npar67ZnBWpkdP8Q@mail.gmail.com>
References: <CALaySJK5fYy_JCv0Y7Fs3QpPk95fUxyt272JMc-QUpVKO7_gJA@mail.gmail.com> <56853BCC.7030005@gmx.de> <56927D52.2000106@gmx.de> <CALaySJ+mVOHinmehK2jm3jQaEkXJZ2BRbaY4a5wuw=eOOO-A9Q@mail.gmail.com> <BN3PR03MB13675838E560ED08916D245187C90@BN3PR03MB1367.namprd03.prod.outlook.com> <5693DC2E.7010001@cs.tcd.ie> <569562B6.904@cs.tcd.ie> <BN3PR03MB13677294EE2ABFE14D0A56D087CA0@BN3PR03MB1367.namprd03.prod.outlook.com> <CALaySJ+918e-VO2V6HTK6OnQc0kQrY-YYj=ZToxs3wXxZqjvCg@mail.gmail.com> <56962487.6030709@cs.tcd.ie> <BN3PR03MB1367417E3088E4AD82F9B53887CB0@BN3PR03MB1367.namprd03.prod.outlook.com> <5696A318.4010808@cs.tcd.ie> <312E9853-E205-454C-8A71-487FDF357A8D@mnot.net> <CABCZv0potRRAcezS1Q5ZASEyzTuOKtW7sE+Ey=EjxC_+teYr_w@mail.gmail.com> <CY1PR03MB137453C7B22E473C757581C987CD0@CY1PR03MB1374.namprd03.prod.outlook.com> <CABCZv0qupdF+nEzPWCsSZGL0NZ3X8LOMfzuz3pGatu426JfAQg@mail.gmail.com> <CABkgnnVSQ=iDrqRE_2y4EPCAsybLmvVXR0yZtn49ryqMTj=pNw@mail.gmail.com> <CAOdDvNohfsS7Zw6wk3q3YAQn9SYNjVarN4Npar67ZnBWpkdP8Q@mail.gmail.com>
Date: Fri, 15 Jan 2016 23:25:57 -0500
X-Google-Sender-Auth: d2hqPDZbb-vd0O9Mbf2E4vYo_ls
Message-ID: <CALaySJ+S=fEJaOFyq_MGTW-JV2cDQeiB9eu4xCprYUZ1CaS17Q@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Chris Bentzel <chris@bentzel.net>, Mike Bishop <Michael.Bishop@microsoft.com>, Mark Nottingham <mnot@mnot.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "Julian F. Reschke" <julian.reschke@gmx.de>, "draft-ietf-httpbis-alt-svc@ietf.org" <draft-ietf-httpbis-alt-svc@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a1135f14694769905296bea59"
Received-SPF: pass client-ip=209.85.213.182; envelope-from=barryleiba@gmail.com; helo=mail-ig0-f182.google.com
X-W3C-Hub-Spam-Status: No, score=-7.7
X-W3C-Hub-Spam-Report: AWL=1.882, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1aKIRT-0002Ak-8k 87162e5c799f7d53af988117d927261c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: AD review of draft-ietf-httpbis-alt-svc-10
Archived-At: <http://www.w3.org/mid/CALaySJ+S=fEJaOFyq_MGTW-JV2cDQeiB9eu4xCprYUZ1CaS17Q@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30949
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Friday, January 15, 2016, Patrick McManus <mcmanus@ducksong.com> wrote:

> I like that rewrite.
>

As do I.

Barry


> On Fri, Jan 15, 2016 at 8:00 PM, Martin Thomson <martin.thomson@gmail.com
> <javascript:_e(%7B%7D,'cvml','martin.thomson@gmail.com');>> wrote:
>
>> Does that suggest an "unless" or a rewrite to something like:
>>
>> Clients that wish to prevent requests from being correlated (such as
>> those that offer modes aimed at providing improved privacy) SHOULD NOT
>> use alternative services for multiple requests that would not
>> otherwise be allowed to be correlated.
>>
>> On 16 January 2016 at 08:22, Chris Bentzel <chris@bentzel.net
>> <javascript:_e(%7B%7D,'cvml','chris@bentzel.net');>> wrote:
>> > That seems reasonable.
>> >
>> > On Fri, Jan 15, 2016 at 4:10 PM Mike Bishop <
>> Michael.Bishop@microsoft.com
>> <javascript:_e(%7B%7D,'cvml','Michael.Bishop@microsoft.com');>>
>> > wrote:
>> >>
>> >> The concern goes the other way, too – Alt-Svc mappings that you’ve
>> >> previously discovered continuing to be used in Incognito.  If a server
>> gave
>> >> you an Alt-Svc of “chrisbentzel-laptop-2.tracking.example.com”
>> previously
>> >> and you used it once you entered Incognito, they could persist your
>> identity
>> >> into that mode regardless of whether you persist updates you see while
>> >> Incognito.
>> >>
>> >>
>> >>
>> >> Having a separate cache of Alt-Svc mappings that gets used only for
>> that
>> >> session would seem like a reasonable mitigation.
>> >>
>> >>
>> >>
>> >> From: Chris Bentzel [mailto:chris@bentzel.net
>> <javascript:_e(%7B%7D,'cvml','chris@bentzel.net');>]
>> >> Sent: Friday, January 15, 2016 1:04 PM
>> >> To: Mark Nottingham <mnot@mnot.net
>> <javascript:_e(%7B%7D,'cvml','mnot@mnot.net');>>; Stephen Farrell
>> >> <stephen.farrell@cs.tcd.ie
>> <javascript:_e(%7B%7D,'cvml','stephen.farrell@cs.tcd.ie');>>
>> >> Cc: Mike Bishop <Michael.Bishop@microsoft.com
>> <javascript:_e(%7B%7D,'cvml','Michael.Bishop@microsoft.com');>>; Barry
>> Leiba
>> >> <barryleiba@computer.org
>> <javascript:_e(%7B%7D,'cvml','barryleiba@computer.org');>>; Julian F.
>> Reschke <julian.reschke@gmx.de
>> <javascript:_e(%7B%7D,'cvml','julian.reschke@gmx.de');>>;
>> >> draft-ietf-httpbis-alt-svc@ietf.org
>> <javascript:_e(%7B%7D,'cvml','draft-ietf-httpbis-alt-svc@ietf.org');>;
>> HTTP Working Group
>> >> <ietf-http-wg@w3.org
>> <javascript:_e(%7B%7D,'cvml','ietf-http-wg@w3.org');>>
>> >>
>> >>
>> >> Subject: Re: AD review of draft-ietf-httpbis-alt-svc-10
>> >>
>> >>
>> >>
>> >> Chiming in (very) late on the "In particular, clients configured for
>> >> anonymous usage SHOULD NOT use alternative services."
>> >>
>> >>
>> >>
>> >> I'm actually not sure what folks here have in mind when they think of
>> >> "anonymous usage" configurations.
>> >>
>> >>
>> >>
>> >> Assuming that something like Chrome's Incognito Mode falls under that
>> >> bucket, it is likely that Chrome would use alternative services within
>> an
>> >> incognito session but not persist the alternative service mappings -
>> they'd
>> >> go away when the incognito session ends.
>> >>
>> >>
>> >>
>> >> On Thu, Jan 14, 2016 at 10:32 PM Mark Nottingham <mnot@mnot.net
>> <javascript:_e(%7B%7D,'cvml','mnot@mnot.net');>> wrote:
>> >>
>> >> In some side discussions, I've come across other people who are unhappy
>> >> with this state of affairs, so I don't think you're alone. I'll leave
>> it up
>> >> to them to decide how to participate here.
>> >>
>> >> To be explicit -- we are opening up a potential same machine attack
>> >> (specifically, someone on a shared HTTP server who has the ability to
>> both
>> >> add response headers -- such as with .htaccess or a CGI script -- and
>> listen
>> >> to another port (possibly, ANY port) on the same box can then hijack
>> traffic
>> >> intended for other users.
>> >>
>> >> The motivation for doing so is to enable the HTTP Opportunistic
>> Security
>> >> specification, which offers weak protection against pervasive
>> monitors, but
>> >> is vulnerable to active attackers, and doesn't improve Web security in
>> other
>> >> (and important) ways that HTTPS does. We have only one implementation
>> of
>> >> that specification in a browser, and no sign that it will be adopted by
>> >> others.
>> >>
>> >> Is this a reasonable tradeoff? We are planning to publish this is
>> >> Experimental, so the question might also be "is this a responsible
>> >> experiment to run?"
>> >>
>> >> Cheers,
>> >>
>> >>
>> >>
>> >> > On 14 Jan 2016, at 6:18 am, Stephen Farrell <
>> stephen.farrell@cs.tcd.ie
>> <javascript:_e(%7B%7D,'cvml','stephen.farrell@cs.tcd.ie');>>
>> >> > wrote:
>> >> >
>> >> >
>> >> >
>> >> > On 13/01/16 19:16, Mike Bishop wrote:
>> >> >> Yes, that's obviously a mitigation servers can set up, but that
>> means
>> >> >> we're telling existing servers they need to disallow something
>> that's
>> >> >
>> >> > Well s/need/can/ I think, but sure.
>> >> >
>> >> >> newly defined in order to prevent their users from hijacking them.
>> >> >> And I don't believe retroactive guidance like that is reasonable --
>> >> >> that will lag actual deployment of the protocol, and will never be
>> >> >> 100%.
>> >> >>
>> >> >> My proposal was that ~eve remains able to advertise an Alt-Svc, but
>> >> >> that alternative must then authenticate itself as users.example.com
>> >> >> (which Eve's proxy cannot do) before clients will use it.
>> >> >>
>> >> >> I remain a little unhappy with this as it stands, but if no one else
>> >> >> thinks it's a problem, I'll stop now.
>> >> >
>> >> > Yeah, ditto:-)
>> >> >
>> >> > Cheers
>> >> > S
>> >> >
>> >> >>
>> >> >> -----Original Message----- From: Stephen Farrell
>> >> >> [mailto:stephen.farrell@cs.tcd.ie
>> <javascript:_e(%7B%7D,'cvml','stephen.farrell@cs.tcd.ie');>] Sent:
>> Wednesday, January 13, 2016
>> >> >> 2:19 AM To: Barry Leiba <barryleiba@computer.org
>> <javascript:_e(%7B%7D,'cvml','barryleiba@computer.org');>>; Mike Bishop
>> >> >> <Michael.Bishop@microsoft.com
>> <javascript:_e(%7B%7D,'cvml','Michael.Bishop@microsoft.com');>> Cc:
>> Julian Reschke
>> >> >> <julian.reschke@gmx.de
>> <javascript:_e(%7B%7D,'cvml','julian.reschke@gmx.de');>>;
>> draft-ietf-httpbis-alt-svc@ietf.org
>> <javascript:_e(%7B%7D,'cvml','draft-ietf-httpbis-alt-svc@ietf.org');>;
>> HTTP
>> >> >> Working Group <ietf-http-wg@w3.org
>> <javascript:_e(%7B%7D,'cvml','ietf-http-wg@w3.org');>> Subject: Re: AD
>> review of
>> >> >> draft-ietf-httpbis-alt-svc-10
>> >> >>
>> >> >>
>> >> >> Hiya,
>> >> >>
>> >> >> Yes, I'm fine that ~eve in Mike's scenario can muck with ~alice as
>> >> >> specified. (And such servers still do exist, we have one still.)
>> >> >>
>> >> >> I'd say best would be to call that attack out in the draft, but I
>> >> >> don't think the mitigation for the misbehaviour is to authenticate
>> >> >> ~eve, which is what the text below seems to be saying.
>> Authenticating
>> >> >> the web server for the name will help of course, but surely the real
>> >> >> mitigation for that attack is for the server to scrub the alt-svc
>> >> >> headers? (And to be clear, yes the port number thing is fine, I
>> don't
>> >> >> think system ports is a deal these days.)
>> >> >>
>> >> >> All of the above of course also assumes that the "changing host"
>> >> >> stuff is worked out well, which I'm sure it is or will be, but
>> >> >> haven't checked.
>> >> >>
>> >> >> S
>> >> >>
>> >> >> On 13/01/16 00:34, Barry Leiba wrote:
>> >> >>> The point with all this, in my mind and with respect to the text we
>> >> >>> have, is whether it makes any practical difference any more
>> >> >>> whether Eve sets this up on port 23412 or on port 1000.  My
>> >> >>> contention is that it doesn't, these days (while it might have in
>> >> >>> the past), and that implying that it's safe if the alt-svc is on a
>> >> >>> low-numbered port, but not safe (or less safe) if it's on a
>> >> >>> high-numbered port isn't doing any service to anyone.
>> >> >>>
>> >> >>> I think we should alert people to the possible
>> >> >>> attack/issues/whatever, but that we should not imply that any set
>> >> >>> of ports enjoy any sort of immunity against or resistance to those
>> >> >>> attacks.
>> >> >>>
>> >> >>> b
>> >> >>>
>> >> >>>
>> >> >>> On Tue, Jan 12, 2016 at 5:09 PM, Mike Bishop
>> >> >>> <Michael.Bishop@microsoft.com
>> <javascript:_e(%7B%7D,'cvml','Michael.Bishop@microsoft.com');>> wrote:
>> >> >>>> More whether you're okay with that text as mitigation to this
>> >> >>>> hypothetical attack:
>> >> >>>>
>> >> >>>> http://users.example.com is a shared server which hosts user home
>> >> >>>> pages.  Eve places a config file in her wwwpages directory to add
>> >> >>>> an Alt-Svc header to pages served out of
>> >> >>>> http://users.example.com/~eve announcing an alternative service
>> >> >>>> for http://users.example.com on port 23412.  Bob is using an
>> >> >>>> Alt-Svc-capable browser.  After Bob has visited
>> >> >>>> http://users.example.com/~eve, he visits
>> >> >>>> http://users.example.com/~alice.  His browser, obeying Eve's
>> >> >>>> Alt-Svc header, accesses the alternative service on port 23412,
>> >> >>>> where Eve is running a forward proxy that replaces all pages
>> >> >>>> except her own with dancing hamsters.
>> >> >>>>
>> >> >>>> The original mitigations proposed in the text were "prohibit
>> >> >>>> normal users from setting the Alt-Svc header" (which is
>> >> >>>> retroactive on pre-Alt-Svc servers) or "prohibit normal users
>> >> >>>> from listening for incoming requests" (which is contrary to the
>> >> >>>> security model of any shared machine I've used).  This scenario
>> >> >>>> originally made me want to require strong auth on any change of
>> >> >>>> endpoint, but that breaks the opportunistic security draft.  The
>> >> >>>> current text, which I agree does very little, was as strong as we
>> >> >>>> could think of a way to make it without breaking the way Opp-Sec
>> >> >>>> wanted to work.
>> >> >>>>
>> >> >>>> I haven't seen such a server since I was in college, so I don't
>> >> >>>> know whether they still actually exist and run that way.  I
>> >> >>>> presume they do, even if rare, but I have no data.
>> >> >>>>
>> >> >>>> -----Original Message----- From: Stephen Farrell
>> >> >>>> [mailto:stephen.farrell@cs.tcd.ie
>> <javascript:_e(%7B%7D,'cvml','stephen.farrell@cs.tcd.ie');>] Sent:
>> Tuesday, January 12,
>> >> >>>> 2016 12:32 PM To: Mike Bishop <Michael.Bishop@microsoft.com
>> <javascript:_e(%7B%7D,'cvml','Michael.Bishop@microsoft.com');>>;
>> >> >>>> Barry Leiba <barryleiba@computer.org
>> <javascript:_e(%7B%7D,'cvml','barryleiba@computer.org');>>; Julian
>> Reschke
>> >> >>>> <julian.reschke@gmx.de
>> <javascript:_e(%7B%7D,'cvml','julian.reschke@gmx.de');>> Cc:
>> draft-ietf-httpbis-alt-svc@ietf.org
>> <javascript:_e(%7B%7D,'cvml','draft-ietf-httpbis-alt-svc@ietf.org');>;
>> >> >>>> HTTP Working Group <ietf-http-wg@w3.org
>> <javascript:_e(%7B%7D,'cvml','ietf-http-wg@w3.org');>> Subject: Re: AD
>> review
>> >> >>>> of draft-ietf-httpbis-alt-svc-10
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> On 11/01/16 16:45, Stephen Farrell wrote:
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> On 11/01/16 16:34, Mike Bishop wrote:
>> >> >>>>>> Haven't heard back from Stephen on the port-change issue we
>> >> >>>>>> wanted him to weigh in on; I sent him a reminder.
>> >> >>>>>
>> >> >>>>> 2nd one worked:-)
>> >> >>>>>
>> >> >>>>> Lemme go back and read the mail. Please hassle me if I've not
>> >> >>>>> gotten back by tomorrow sometime
>> >> >>>>
>> >> >>>> So as I understand it (thanks Barry), the issue is whether or not
>> >> >>>> this text is ok:
>> >> >>>>
>> >> >>>> "Clients can reduce this risk by imposing stronger requirements
>> >> >>>> (e.g. strong authentication) when moving from System Ports to
>> >> >>>> User or Dynamic Ports, or from User Ports to Dynamic Ports, as
>> >> >>>> defined in Section 6 of [RFC6335]."
>> >> >>>>
>> >> >>>> FWIW, I have no problem with that. I'm not sure quite what it's
>> >> >>>> telling a client to do, but I don't think there's much difference
>> >> >>>> these days between lower numbered and higher numbered ports. (If
>> >> >>>> that's wrong, I'm sure someone will correct me:-)
>> >> >>>>
>> >> >>>> Note that I've not read the rest of the document, just that bit.
>> >> >>>>
>> >> >>>> Cheers, S.
>> >> >>>>
>> >> >>>>>
>> >> >>>>> Cheers, S.
>> >> >>>>>
>> >> >>>>>>
>> >> >>>>>> -----Original Message----- From: barryleiba@gmail.com
>> <javascript:_e(%7B%7D,'cvml','barryleiba@gmail.com');>
>> >> >>>>>> [mailto:barryleiba@gmail.com
>> <javascript:_e(%7B%7D,'cvml','barryleiba@gmail.com');>] On Behalf Of
>> Barry Leiba Sent:
>> >> >>>>>> Sunday, January 10, 2016 9:20 AM To: Julian Reschke
>> >> >>>>>> <julian.reschke@gmx.de
>> <javascript:_e(%7B%7D,'cvml','julian.reschke@gmx.de');>> Cc:
>> >> >>>>>> draft-ietf-httpbis-alt-svc@ietf.org
>> <javascript:_e(%7B%7D,'cvml','draft-ietf-httpbis-alt-svc@ietf.org');>;
>> HTTP Working Group
>> >> >>>>>> <ietf-http-wg@w3.org
>> <javascript:_e(%7B%7D,'cvml','ietf-http-wg@w3.org');>> Subject: Re: AD
>> review of
>> >> >>>>>> draft-ietf-httpbis-alt-svc-10
>> >> >>>>>>
>> >> >>>>>>>>> I don't think this is a 2119 "MAY": what *else* can it
>> >> >>>>>>>>> do?  You have no other guidance about which alternative
>> >> >>>>>>>>> alternative to pick, so....  I think this should just
>> >> >>>>>>>>> say, "it chooses the most suitable...."
>> >> >>>>>>>>
>> >> >>>>>>>> Agreed. I haven't changed that yet as it affects
>> >> >>>>>>>> normative language but I will unless somebody wants to
>> >> >>>>>>>> defend it soonish.
>> >> >>>>>>>
>> >> >>>>>>> <
>> https://github.com/httpwg/http-extensions/commit/a9df1e33703a2cb4
>> >> >>>>>>>
>> >> >>>>>>>
>> >> > 6c
>> >> >>>>>>> 9b
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>> 441bfca5bbc04fff80d1>
>> >> >>>>>>
>> >> >>>>>> Nice.  Is this the last of the updates, or are we still
>> >> >>>>>> working on any?  Whenever you're ready to post a new I-D
>> >> >>>>>> version, I'll give it a check and request last call.
>> >> >>>>>>
>> >> >>>>>> Barry
>> >> >>>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>
>> >> >
>> >>
>> >> --
>> >> Mark Nottingham   https://www.mnot.net/
>> >>
>> >>
>> >>
>> >>
>> >
>>
>>
>