IETF Logo Mail Archive

Re: Alt-Svc WGLC

Kyle Rose <krose@krose.org> Tue, 12 January 2016 02:56 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CF911ACD68 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 11 Jan 2016 18:56:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.381
X-Spam-Level:
X-Spam-Status: No, score=-6.381 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryVKoBDxRx6F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 11 Jan 2016 18:56:25 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83C6D1ACD6A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 11 Jan 2016 18:56:25 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aIp3u-00035e-Eh for ietf-http-wg-dist@listhub.w3.org; Tue, 12 Jan 2016 02:51:58 +0000
Resent-Date: Tue, 12 Jan 2016 02:51:58 +0000
Resent-Message-Id: <E1aIp3u-00035e-Eh@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <krose@krose.org>) id 1aIp3r-00034C-Lk for ietf-http-wg@listhub.w3.org; Tue, 12 Jan 2016 02:51:55 +0000
Received: from mail-ig0-f169.google.com ([209.85.213.169]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <krose@krose.org>) id 1aIp3o-00024Q-7L for ietf-http-wg@w3.org; Tue, 12 Jan 2016 02:51:54 +0000
Received: by mail-ig0-f169.google.com with SMTP id ik10so137457810igb.1 for <ietf-http-wg@w3.org>; Mon, 11 Jan 2016 18:51:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+UxRpIHl71mYptHCyCAMFb93eV7yjA5/EbIIU/qO5Sk=; b=R2VxYZpZ188IYTVLnXKl3BrZmCoRXjBTd5U5L3VRTz0HL1QZSMWCr6XQZPxyE27FET zJLaS2xsRsehCN+osTLO4aov0HzKxW/Q4DOHQReY6ZnJLfw22M/hxSBPDxqcf+W+JFqZ +ZtY+0bIRtFSp9mU1JVi3BrZaVZ+rraBDtXn8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=+UxRpIHl71mYptHCyCAMFb93eV7yjA5/EbIIU/qO5Sk=; b=kfT0jQTN/j0Eem8gTi1qSTfOj4hGl1vM/W7QeC49HQ7ZYQX9dAVuPrtyqIJ2T2WW4R eW0hWRNeiWj0vvqo6RMyyxhSL1qmadWXLFfVS6Kxz4RqJ0F17LfinrgI415nhWmhvRxR t8mk/XxIEvdHR3nd3BhAFh2ZDq2GR89gSf/227tmezZyAK/PN4GTghtk1/mKzU33INXl OqPxRvuBH5qYa7m/NC+4GC9A+5N5BEP8wzaWmz7LrpFiT2qx9tbbWiR7ONQS1zzc2UhG m4Z0yyNacuJY4iXch/k+XEDrg6JouT0XQGNLfwEIoCj98mz+ig02sUUsVPFnAP90bn8L owZw==
X-Gm-Message-State: ALoCoQlknRTN8kaS7zC8g7pSPpqhpUTJLkkCQTTI/3pOWNfah8bsGAKSrx79KGz7EiPuXILXbzpomg7Px72o1FvF1yvrOz4W4A==
MIME-Version: 1.0
X-Received: by 10.50.79.196 with SMTP id l4mr15730548igx.11.1452567083778; Mon, 11 Jan 2016 18:51:23 -0800 (PST)
Received: by 10.79.83.197 with HTTP; Mon, 11 Jan 2016 18:51:23 -0800 (PST)
X-Originating-IP: [2001:470:1f07:121:3138:1325:d954:511c]
In-Reply-To: <CABkgnnXXGFurjCEb00KAyhyih6F=nww42MKBmYCcz4dS06r38w@mail.gmail.com>
References: <566EA6AF.60100@gmx.de> <56703332.1000006@crf.canon.fr> <56928545.7010804@gmx.de> <CAJU8_nVkibr4DsUOWjpEYOVTPbTdoWyBsgSFiRr7Rp4=qFKjPA@mail.gmail.com> <CABkgnnWu-oy9Ax1A=E+4GJ47YGKZa3SLHi0a5kendxNX=q5zaQ@mail.gmail.com> <CAJU8_nVyfxjiM1Q-W_CSv=B1auPXbKsDdPNibOR-GHTRjor1GA@mail.gmail.com> <CABkgnnXXGFurjCEb00KAyhyih6F=nww42MKBmYCcz4dS06r38w@mail.gmail.com>
Date: Mon, 11 Jan 2016 21:51:23 -0500
Message-ID: <CAJU8_nVQiaGEBtxXtHapOu0eigv=ovQSpT0DuEpkfo6tLQEEkw@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.213.169; envelope-from=krose@krose.org; helo=mail-ig0-f169.google.com
X-W3C-Hub-Spam-Status: No, score=-4.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1aIp3o-00024Q-7L d70673267b4b0db736672fbfdbf36978
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Alt-Svc WGLC
Archived-At: <http://www.w3.org/mid/CAJU8_nVQiaGEBtxXtHapOu0eigv=ovQSpT0DuEpkfo6tLQEEkw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30897
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

>> "Clients MUST NOT use unauthenticated alternative services with a host
>> that is different from the origin or authenticated alternative
>> services with a host that does not authenticate itself as the origin."
>
> I think that the second part is invariant, the first is an additional
> limitation on the use of alternative service advertisements that
> aren't properly authenticated.

The second part is bad wording.

What is the issue with the first part? My reading of the draft is that
we want to support the case in which an unauthenticated origin
provides an alternative service that *is* authenticated, just not the
case in which an unauthenticated origin provides an alternative
service that is also unauthenticated:

`This is the reason for the requirement in host_auth that any
alternative service with a host different to the origin's be strongly
authenticated with the origin's identity; i.e., presenting a
certificate for the origin proves that the alternative service is
authorized to serve traffic for the origin.`

I think we can actually skirt the confusion from the second part of my
previous proposal, and just slightly reword the existing text to more
closely match the wording in host_security:

"Clients MUST NOT use an alternative service with a host that is
different from the origin's without the alternative service strongly
authenticating with the origin's identity."

This admits:

 * unauth origin -> unauth alt svc on same host
 * unauth origin -> auth alt svc anywhere
 * auth origin -> auth alt svc anywhere

In isolation it also literally admits auth origin -> unauth alt svc on
same host, but that case is subject to the language in
changing-protocols around clients taking care about downgrading
security through the use of alternative services.

Kyle

v2.23.0 | Report a Bug | By Email