Re: Benjamin Kaduk's Yes on draft-ietf-httpbis-bcp56bis-14: (with COMMENT)
Mark Nottingham <mnot@mnot.net> Wed, 25 August 2021 04:41 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 286DB3A074D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 24 Aug 2021 21:41:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.997
X-Spam-Level:
X-Spam-Status: No, score=-2.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=ZlGk1DAD; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=wPmULrW7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MEB7FU1MYOBo for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 24 Aug 2021 21:41:35 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55A783A0736 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 24 Aug 2021 21:41:34 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1mIkgh-0003JF-Gk for ietf-http-wg-dist@listhub.w3.org; Wed, 25 Aug 2021 04:38:55 +0000
Resent-Date: Wed, 25 Aug 2021 04:38:55 +0000
Resent-Message-Id: <E1mIkgh-0003JF-Gk@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1mIkge-0003IT-QO for ietf-http-wg@listhub.w3.org; Wed, 25 Aug 2021 04:38:52 +0000
Received: from out2-smtp.messagingengine.com ([66.111.4.26]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1mIkga-0001Sj-4A for ietf-http-wg@w3.org; Wed, 25 Aug 2021 04:38:52 +0000
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 800705C00D1; Wed, 25 Aug 2021 00:38:34 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Wed, 25 Aug 2021 00:38:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=x GyG6t2jkdJbxrK0gTa/lCziaK8Xai/UUZ0DqJHMGvg=; b=ZlGk1DADk0f+JFjSU itgi7j15RDR4jdxLNtIQvLvHKLtIE/8c3vTpkPunpFdzgVP8ZX7obYr6K5rMbeun OXGmEMWTGBpfq5iVyOCmCS8wcvefdWLmCWjRS3XRpp81vxWG2JmjJjXy/ZMH2WGc YyUAO7BzejJATalS3xpvHSU4RxP91MMJ+WtzjpRpjWZIIIhrnBXEyP1bKOfUqA6N q3hlN7Y2EXroAAxjpxRKuAtBJp5bzR4bDIA1FY+3RZ7x6QH4KKVUgo2DnyZU6g20 IUah97cwL/KapZm1UxXDl7lTnqPCLHoPLH5tWLIViBjirmCRxQmmH+XVaCr8Q6H6 k5Tgw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=xGyG6t2jkdJbxrK0gTa/lCziaK8Xai/UUZ0DqJHMG vg=; b=wPmULrW7ND5OE5tL3VIG+yMD38qzWs1Zy1+LWrbU2GR/ZsPV4x3cWQW1n xTUyXEQniZXFIJu8nC27De9c+MVm/416YGHkdRQivDE37zYf1lvUJkugg8MZai5x q2AvqciUaNfgT+Lw6eVtPyMwoRZf7a6OlaPNYhRceJIEGXL3eny+7CHcpsyatctf ErxdX13LXg2hUAa8qpThoZPR9VgetcQfbCTjRI4U2sLEfGmYLxaMFa8AIv2c8Krl g5j4vRGF0o+gE3R0vQP/cWvhl+M2Jy6IStOOG2X/RvJZLsbW2zTejNSGMIlgIjuc +sASpFpoyvoLAq8Jlsvr+RG7PtC2A==
X-ME-Sender: <xms:ScklYfciioiZO1_BPtjyiVQMms5VXXGeOr1XzYhEpKufeobBMWQxMA> <xme:ScklYVPp5PN59vql-G9OurLyIJPdrNynVRMt_BsfX-dPEipfBxxSDADZaM2mv89YI RU0KdZpXNdpifS34w>
X-ME-Received: <xmr:ScklYYhC_IvQd9bwCKTD6e12Hp0DmNpjwBGn2R811VJwA1zfmq1urM3TNudcLYGq9t2WwPpEfwfAy7O-MC7z4by2lkG8T1KPIo5rNk9kgTY8loRQ4iFhhcLW>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddruddtkedgkeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtjeenucfhrhhomhepofgrrhhk ucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhnvghtqeenucggtffrrghtth gvrhhnpeeviedtheffheegtdefkeejvdevhfekvedtffejieeftdehtdeviefhgfejjeeh ieenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhivghtfhdrohhrghdpmhhnohhtrd hnvghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep mhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:ScklYQ_wcciSH3X1VIudEPcRiE1gsJmL-LrttPpXdLEWkUQwQ67_1A> <xmx:ScklYbt0SEIkkQ8FJ0Z5vGN9sLiKwaG0mCqIbhDTRIfKgB70AFn64Q> <xmx:ScklYfFRBJnhZp4VDRMawPq5R9ZhIc5O4WvO2bTdKwFj7q3-eGnzaw> <xmx:SsklYRWUurUUzWw_B8UJKhnJ-S_Q8VIySjaD1iUYY4V3NLiqFV7-Ww>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 25 Aug 2021 00:38:31 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <162985989825.18541.14061589191271464682@ietfa.amsl.com>
Date: Wed, 25 Aug 2021 14:38:29 +1000
Cc: The IESG <iesg@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DCA54D48-6335-4392-B2C8-B5D1E9335849@mnot.net>
References: <162985989825.18541.14061589191271464682@ietfa.amsl.com>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Received-SPF: pass client-ip=66.111.4.26; envelope-from=mnot@mnot.net; helo=out2-smtp.messagingengine.com
X-W3C-Hub-DKIM-Status: validation passed: (address=mnot@mnot.net domain=mnot.net), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=mnot@mnot.net domain=messagingengine.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-9.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1mIkga-0001Sj-4A 65af3cd305cf550fd694d3b5993639d2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Benjamin Kaduk's Yes on draft-ietf-httpbis-bcp56bis-14: (with COMMENT)
Archived-At: <https://www.w3.org/mid/DCA54D48-6335-4392-B2C8-B5D1E9335849@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/39263
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Ben, Thanks for the feedback. I've responded and tracked the resulting changes in: https://github.com/httpwg/http-extensions/issues/1617 Happy to discuss further here or there if necessary. Cheers, > On 25 Aug 2021, at 12:51 pm, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote: > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-httpbis-bcp56bis-14: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-httpbis-bcp56bis/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks to Tommy for the shepherd writeup, which was very nice except > that it only answered one of the three parts of question (1). > > Thanks once again to the editors and WG for another very well-written > document! > > Thanks as well to Joe Salowey for the secdir review, and to the authors > for the discussion and updates in response to it. > > I made a github pull request with a few editorial suggestions: > https://github.com/httpwg/http-extensions/pull/1616 > > Section 3.2 > > As explained in [RFC8820], such "squatting" on a part of the URL > > Are there toolchain issues that prevent BCP190 from being the reference > here or is there some other reason to prefer the RFC form of the > reference? > > Section 4.3 > > It seems somewhat surprising that the things we say about client > behavior are basically unrelated to the areas where we ask for server > behaviors to be specified. Is there anything useful to say about, e.g., > how the client uses media types, handles header fields, and processes > link relationships (even if [FETCH] would also say such things)? > > Section 4.4.2 > > Applications that use HTTP will typically employ the "http" and/or > "https" URI schemes. "https" is RECOMMENDED to provide > authentication, integrity and confidentiality, as well as mitigate > pervasive monitoring attacks [RFC7258]. > > It seems clear to me that use of "https" is both IETF current practice > and a general best practice. I see the shepherd writeup's mention of > the extensive WG discussions on this guidance (regarding "RECOMMENDED" > vs "MUST"), and posit that the lack of a clear definition of what BCP 14 > keywords mean in a BCP-status document (and perhaps some lack of clarity > as to what the scope of applicability of this document is) underlie much > of the controversy. (We saw a similar controversy in what became RFC > 8996 (part of BCP 195) and its various "MUST NOT"s.) In light of the > extensive WG discussion that already occurred, I do not see reason to > ballot DISCUSS on this topic, but do ask if avoiding BCP 14 keywords > entirely was considered, along the lines of: > > % The use of TLS, i.e., the "https" URI scheme, is the best current > % practice, since it provides (source) authentication, integrity and > % confidentiality, as well as mitigation against pervasive monitoring > % attacks [RFC7258]. > > * The resources identified by the new scheme will still be available > using "http" and/or "https" URLs. [...] > > Is this availability guaranteed, or just a common risk ("likely")? I > could imagine a custom HTTP implementation that only allows requests > using a single (custom) scheme, though admittedly mostly just as a > thought experiment and not something practical. > > Section 4.6.1 > > An application > using HTTP should specify if any request header fields that it > defines need to be modified or removed upon a redirect; however, this > behaviour cannot be relied upon, since a generic client (like a > browser) will be unaware of such requirements. > > Should we encourage the application designer to use "fail safe" > semantics for such request header fields in light of the non-guarantee > that application-specific requirements will be heeded? (Possibly in a > later section more focused on header fields or application state rather > than here.) > > Section 4.9.1 > > It is not necessary to add the public response directive > ([I-D.ietf-httpbis-cache], Section 5.2.2.9) to cache most responses; > it is only necessary when it's desirable to store an authenticated > response. > > This seems to be a slightly different definition than the referenced > document uses. I am not entirely sure whether the divergence is > actually problematic, though. > > Section 4.12 > > Applications can use HTTP authentication Section 11 of > [I-D.ietf-httpbis-semantics] to identify clients. As per [RFC7617], > the Basic authentication scheme is not suitable for protecting > sensitive or valuable information unless the channel is secure (e.g., > using the "HTTPS" URI scheme). Likewise, [RFC7616] requires the > Digest authentication scheme to be used over a secure channel. > > I see that this text has already been subject to quite a bit of > discussion, but RFC 7616 doesn't "require" this; it says that "it SHOULD > be over a secure channel like HTTPS". If pressed to suggest an > alternate phrasing, I would offer "[RFC7616] expects the Digest > authentication scheme to be used over a secure channel", but I am not > specifically promoting that phrasing. > > With HTTPS, clients might also be authenticated using certificates > [RFC5246]. > > When used, it is important to carefully specify the scoping and use > of authentication; if the application exposes sensitive data or > capabilities (e.g., by acting as an ambient authority), exploits are > possible. Mitigations include using a request-specific token to > assure the intent of the client. > > To mention client certificate authentication and scoping of > authentication in such close proximity but not discuss the well-known > pitfalls of TLS client certificate authentication feels like it's > leaving a big gap open. > > I think we want to add something roughly like: > > % TLS client certificate authentication is intrinsically scoped to the > % underlying transport connection. On such an authenticated connection, > % a client has no way of knowing whether the authenticated status was > % used in preparing the response (though "Vary: *" can provide a partial > % indication), and the only way to obtain a specifically unauthenticated > % response is to open a new connection. Applications should consider > % whether or not client certificate authentication is appropriate for > % their needs and expected use patterns. TLS Exported authenticators > % [I-D.ietf-tls-exported-authenticator] are an attempt to remove some of > % these limitations while retaining the convenience and other advantages > % of client certificate authentication. > > (The last sentence is optional, of course.) > > Section 6 > > Do we want to incorporate by reference the security considerations of > any other documents? -semantics, -cache, and RFC 8288, perhaps? > ("Application protocols using HTTP are subject to the security > considerations of HTTP itself and any extensions used; > [I-D.ietf-httpbis-semantics], [I-D.ietf-httpbis-cache], and [RFC8288] > are some often-relevant references.") > If not, there might be a few things worth mentioning as standalone, > e.g., risk of infinite redirect loops and the scope of issues possible when > Vary: isn't used. > > The potential for skew between HTTP caching and (distinct) application > protocol lifetime values discussed in §4.9.3 is a likely source of > security issues, so that section might merit a mention in this listing. > > Section 7.1 > > It's not entirely clear to me that RFC 7301 needs to be listed as > normative; we mention ALPN only in the context of (paraphrasing) > "applications using HTTP ALPN values are subject to these requirements". > > Section 7.2 > > We reference httpbis-cache in a number of places, and the sentiment in > several seems to be along the lines of "applications really ought to > consider the potential impact of caches, since caches might appear in > the request path for reasons outside the control of the application". > Classifying it as a normative reference seems like it would be > defensible (though leaving it as informative is also defensible). > > NITS > > Section 1 > > This document contains best current practices for the specification > of such applications. [...] > > Earlier we've talked about "applications other than Web browsing", > "protocols [that] are often ad hoc", "applications [with] multiple, > separate implementations", and "application protocol[s] using HTTP". > When we say "such applications" do we have a specific referent in mind? > > Section 4.5.1 > > Therefore, applications using > HTTP that feel a need to allow POST queries ought consider allowing > both methods. > > All the "ought"s in -semantics made sense, but seeing as this document > is a BCP, maybe it's okay to give a more definitive recommendation? > > Section 4.9.3 > > One way to address this is to explicitly specify that all responses > be fresh upon use. > > I think I'm failing to parse this sentence properly, and it's unclear if > s/be/are/ is the right fix. (In particular, what does it mean to "use" > a response?) > > Section 4.16 > > In HTTP, backwards-incompatible changes are possible using a number > of mechanisms: > > "A number of" implies uncertainty about exactly how many, which would > typically be accompanied by "including"; if the list is actually > exhaustive, using the actual number ("three") might be preferred. > > Section 6 > > We refer to several other sections as being security-relevant, and the > list is almost (but not) sorted. Should it be sorted? > > > -- Mark Nottingham https://www.mnot.net/
- Benjamin Kaduk's Yes on draft-ietf-httpbis-bcp56b… Benjamin Kaduk via Datatracker
- Re: Benjamin Kaduk's Yes on draft-ietf-httpbis-bc… Mark Nottingham
- Re: Benjamin Kaduk's Yes on draft-ietf-httpbis-bc… Benjamin Kaduk