Éric Vyncke's No Objection on draft-ietf-httpbis-client-cert-field-05: (with COMMENT)
Éric Vyncke via Datatracker <noreply@ietf.org> Thu, 09 March 2023 10:33 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B54BC14CE33 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 9 Mar 2023 02:33:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.949
X-Spam-Level:
X-Spam-Status: No, score=-4.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S_Ya1dm5lb9O for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 9 Mar 2023 02:33:54 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C879BC14CE30 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 9 Mar 2023 02:33:54 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1paDYe-00EfJH-EV for ietf-http-wg-dist@listhub.w3.org; Thu, 09 Mar 2023 10:31:36 +0000
Resent-Date: Thu, 09 Mar 2023 10:31:36 +0000
Resent-Message-Id: <E1paDYe-00EfJH-EV@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <noreply@ietf.org>) id 1paDYc-00EfIO-AU for ietf-http-wg@listhub.w3.org; Thu, 09 Mar 2023 10:31:34 +0000
Received: from mail.ietf.org ([50.223.129.194]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <noreply@ietf.org>) id 1paDYZ-007xjZ-CY for ietf-http-wg@w3.org; Thu, 09 Mar 2023 10:31:34 +0000
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 87411C14CE30; Thu, 9 Mar 2023 02:31:20 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Éric Vyncke via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-httpbis-client-cert-field@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, mnot@mnot.net, mnot@mnot.net
X-Test-IDTracker: no
X-IETF-IDTracker: 9.13.0
Auto-Submitted: auto-generated
Reply-To: Éric Vyncke <evyncke@cisco.com>
Message-ID: <167835788054.48187.12188123736748073199@ietfa.amsl.com>
Date: Thu, 09 Mar 2023 02:31:20 -0800
Received-SPF: pass client-ip=50.223.129.194; envelope-from=noreply@ietf.org; helo=mail.ietf.org
X-W3C-Hub-Spam-Status: No, score=-6.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1paDYZ-007xjZ-CY 55849bef70fdf97945b1e5ebcc42b6ec
X-Original-To: ietf-http-wg@w3.org
Subject: Éric Vyncke's No Objection on draft-ietf-httpbis-client-cert-field-05: (with COMMENT)
Archived-At: <https://www.w3.org/mid/167835788054.48187.12188123736748073199@ietfa.amsl.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/50823
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Éric Vyncke has entered the following ballot position for draft-ietf-httpbis-client-cert-field-05: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-cert-field/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- # Éric Vyncke, INT AD, comments for draft-ietf-shmoo-hackathon-07 CC @evyncke Thank you for the work put into this document. Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education), and one nit. Special thanks to Mark Nottingham for the shepherd's detailed write-up including the WG consensus *and* the WG discussion about the intended status. I hope that this review helps to improve the document, Regards, -éric ## COMMENTS ### Use of normative BCP 14 language Yet another IETF draft using the normative BCP14 language in an informative document. No need to reply, this use of normative language is becoming usual :-( but I wanted to point it out. ### Section 2.4 In ```Any occurrence of the Client-Cert or Client-Cert-Chain header fields in the original incoming request MUST be removed or overwritten before forwarding the request. An incoming request that has a Client-Cert or Client-Cert-Chain header field MAY be rejected with an HTTP 400 response.``` shouldn't the last MAY be a SHOULD ? About deployment, how will the system work with a client sending those headers via a TTRP that does not support those headers (i.e., do not remove them)? I would have preferred a kind of signature of those headers by the TTRP so the the origin server trust them. I.e., how can the last paragraph of this section be enforced ? It is (too) briefly discussed in appendix B.1 (which should be in the security section). ### Section 3.1 Suggest to qualify the owner the dynamic table in `increasing the size of the dynamic table` ### Deployment of TTRP farms Please accept my lack of knowledge in HTTP... two questions: 1) are those headers sent in *each* HTTP requests to the origin or only in the first one ? 2) AFAIK, TLS termination can be shared among a TTRP farm by sharing the TLS states, should also the states for those headers be also shared among the farm members? ## NITS ### Section 2.1 Should quotes be used in `it will be sufficient to replace ---(BEGIN|END) CERTIFICATE--- with :` ? ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments
- Éric Vyncke's No Objection on draft-ietf-httpbis-… Éric Vyncke via Datatracker
- Re: Éric Vyncke's No Objection on draft-ietf-http… Julian Reschke
- Re: Éric Vyncke's No Objection on draft-ietf-http… Brian Campbell