Re: 2.2. Interaction with "https" URIs | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

Kari Hurtta <hurtta-ietf@elmme-mailer.org> Mon, 10 October 2016 04:50 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5E13129477 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 9 Oct 2016 21:50:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.917
X-Spam-Level:
X-Spam-Status: No, score=-9.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIgx2r0CcEWK for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 9 Oct 2016 21:50:29 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3DB2129423 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 9 Oct 2016 21:50:28 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1btSTs-0003l5-M0 for ietf-http-wg-dist@listhub.w3.org; Mon, 10 Oct 2016 04:46:28 +0000
Resent-Date: Mon, 10 Oct 2016 04:46:28 +0000
Resent-Message-Id: <E1btSTs-0003l5-M0@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <hurtta@siilo.fmi.fi>) id 1btSTp-0003kQ-Jk for ietf-http-wg@listhub.w3.org; Mon, 10 Oct 2016 04:46:25 +0000
Received: from smtpvgate.fmi.fi ([193.166.223.36]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <hurtta@siilo.fmi.fi>) id 1btSTl-0007eH-A8 for ietf-http-wg@w3.org; Mon, 10 Oct 2016 04:46:23 +0000
Received: from virkku.fmi.fi (virkku.fmi.fi [193.166.211.54]) (envelope-from hurtta@siilo.fmi.fi) by smtpVgate.fmi.fi (8.13.8/8.13.8/smtpgate-20160114/smtpVgate) with ESMTP id u9A4jg1L019652 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 10 Oct 2016 07:45:42 +0300
Received: from shell.siilo.fmi.fi by virkku.fmi.fi with ESMTP id u9A4jftj000681 ; Mon, 10 Oct 2016 07:45:41 +0300
Received: from shell.siilo.fmi.fi ([127.0.0.1]) by shell.siilo.fmi.fi with ESMTP id u9A4jfkp014047 ; Mon, 10 Oct 2016 07:45:41 +0300
Received: by shell.siilo.fmi.fi id u9A4jeq4014046; Mon, 10 Oct 2016 07:45:40 +0300
Message-Id: <201610100445.u9A4jeq4014046@shell.siilo.fmi.fi>
In-Reply-To: <CABkgnnVecDi-w3yxqRBaGqvrz7zGUoYd1z7QyaZVv2zzuySgmg@mail.gmail.com>
References: <20161004160321.DFB4C111E5@welho-filter1.welho.com> <BN6PR03MB27082C2CF4DC3F8F82354FDE87C50@BN6PR03MB2708.namprd03.prod.outlook.com> <201610050451.u954pomK003643@shell.siilo.fmi.fi> <CAOdDvNpRN_trGi23BpqUxmaLoLvom9+Yiew0GkNkhgwvqw4Bew@mail.gmail.com> <CABkgnnVKeqnyqhgL=jx1WqtcByqHes25XDJ684J+rNwvQt+znQ@mail.gmail.com> <201610051336.u95DaAW2020152@shell.siilo.fmi.fi> <CABkgnnVaBVE8mUxuGXYe-WeM_OkiNHcA=egnb1-nOxtdujShfw@mail.gmail.com> <201610051616.u95GGWcI031833@shell.siilo.fmi.fi> <BN6PR03MB2708B42C6964AA22AF8FFDC487C40@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnVJ7VRBH4VeGODkSUXdW9XHs8AjB_M0mm8Kt=nv3djvEg@mail.gmail.com> <BN6PR03MB27081C5CF95FB443BB4C155B87C70@BN6PR03MB2708.namprd03.prod.outlook.com> <20161009073417.6A669113F0@welho-filter1.welho.com> <CABkgnnVecDi-w3yxqRBaGqvrz7zGUoYd1z7QyaZVv2zzuySgmg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 10 Oct 2016 07:45:40 +0300 (EEST)
Sender: hurtta@siilo.fmi.fi
From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
CC: Kari hurtta <hurtta-ietf@elmme-mailer.org>, Mike Bishop <Michael.Bishop@microsoft.com>, HTTP working group mailing list <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
X-Mailer: ELM [version ME+ 2.5 PLalpha41]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
X-Filter: smtpVgate.fmi.fi: 3 received headers rewritten with id 20161010/03978/01
X-Filter: smtpVgate.fmi.fi: ID 3979/01, 1 parts scanned for known viruses
X-Filter: virkku.fmi.fi: ID 2306/01, 1 parts scanned for known viruses
Received-SPF: none client-ip=193.166.223.36; envelope-from=hurtta@siilo.fmi.fi; helo=smtpVgate.fmi.fi
X-W3C-Hub-Spam-Status: No, score=-5.6
X-W3C-Hub-Spam-Report: AWL=-1.349, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.303, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1btSTl-0007eH-A8 cc914c1795e459910ae000c76a4a4639
X-Original-To: ietf-http-wg@w3.org
Subject: Re: 2.2. Interaction with "https" URIs | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Archived-At: <http://www.w3.org/mid/201610100445.u9A4jeq4014046@shell.siilo.fmi.fi>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32535
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Martin Thomson <martin.thomson@gmail.com>om>: (Mon Oct 10 02:17:08 2016)
> > 2.2.  Interaction with "https" URIs
> > https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-07#section-2.3
> >
> > |   Because of the risk of server confusion about individual requests'
> > |   schemes (see Section 4.4), clients MUST NOT send "http" requests on a
> > |   connection that has previously been used for "https" requests, unless
> > |   the http-opportunistic origin object Section 2.3 fetched over that
> > |   connection has a "mixed-scheme" member whose value is "true".
> >
> > I think that RFC can also require opposite.
> >
> > Add:
> >
> >    And clients MUST NOT send "https" requests on a connection that has
> >    previously been used for "http" requests, unless the http-opportunistic
> >    origin object has a "mixed-scheme" member whose value is "true"
> 
> I disagree.  The point of all this mucking around is to make it clear
> that special behaviour is permitted, making https requests over an
> authenticated TLS connection is perfectly normal and expected.

After one "https" reguest that apply:

|                            clients MUST NOT send "http" requests on a
|    connection that has previously been used for "https" requests,

So it is unusable for "http".

And if "http" and "https" are send consecutive on "h2", which
one is executed first?  

What is reason that  "mixed-scheme" is "true" requirement?

Is reason that
	∘ confusion happens if "http" follows "https", or 
	∘ scheme is determined only on first request ?

If any "https" can cause confusion, then there is also
danger on sequence "http" and then "https" assuming that
first is not completed before send is requested.

/ Kari Hurtta