Re: Éric Vyncke's No Objection on draft-ietf-httpbis-client-cert-field-05: (with COMMENT)
Brian Campbell <bcampbell@pingidentity.com> Fri, 10 March 2023 00:01 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97D2CC1522AD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 9 Mar 2023 16:01:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.048
X-Spam-Level:
X-Spam-Status: No, score=-5.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxFrZijElqiJ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 9 Mar 2023 16:01:35 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88B45C1516E3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 9 Mar 2023 16:01:34 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1paQ9e-00Glrt-Bw for ietf-http-wg-dist@listhub.w3.org; Thu, 09 Mar 2023 23:58:38 +0000
Resent-Date: Thu, 09 Mar 2023 23:58:38 +0000
Resent-Message-Id: <E1paQ9e-00Glrt-Bw@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <bcampbell@pingidentity.com>) id 1paQ9c-00Glqw-4S for ietf-http-wg@listhub.w3.org; Thu, 09 Mar 2023 23:58:36 +0000
Received: from mail-pf1-x42a.google.com ([2607:f8b0:4864:20::42a]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <bcampbell@pingidentity.com>) id 1paQ9X-001IEV-4b for ietf-http-wg@w3.org; Thu, 09 Mar 2023 23:58:36 +0000
Received: by mail-pf1-x42a.google.com with SMTP id fa28so2592615pfb.12 for <ietf-http-wg@w3.org>; Thu, 09 Mar 2023 15:58:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1678406300; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6mQeIQuzBQkfS7OwLwePMMq47+n9YPhLhDT0I/cR+JY=; b=TAPDI+VT/qhIS/BLm8natxoz5PZ5cF9Mv5wPcM/Oz9j/k+aO4HfD1+Iit/nimZlTfq J5wMhhlomLqVYMwWBLzfca7Dys2t5UmK7ro4jCb4z96iIAtZUlO2L3xryL40BfZRJJZi f1A0LoNgF+2G4NBIOvl5M33dyi5A9meldvfHPYxPNaUVce/fH+Y+LR8maheG4G00WP+z ymL5MFu/AebhDGOM166rbbTj+CstaKu8r13zzlGvYkU4LCLwn4/fbGYcqchQNRcEsHEO QnqqabutkYo1YdMKQfYGWlqV+TwoutkEJw2Kn0yFZbaH9uPV3s6tNfcaYRebgHXNI7Eg Btzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678406300; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6mQeIQuzBQkfS7OwLwePMMq47+n9YPhLhDT0I/cR+JY=; b=MPBqGP6Fy0xV8RYtg+881dKPZgZuPwfRxhOetlOKCAKX4kTqTgoEtWKXBZ+WJia9eH g7R28KTnG2oRWs7ShADM01bG6lr4YgIiVZrUnE6EaFVhnJp4DID3G6odF1hpc8zT1eUY 11YuvcgtD8I+W0SedRFc/CTdqfVolcvYQua28rAbnz2emIL+cfIuCETtNWyDtG2Wfsvb n8D4XAKuAiFW7tskVbeRMzLEnunaTsG1X/xV6BE6OEEu9AabCjcCpvIyxaTqTvVYH2ib VvUN6Xbhr1Ogg12dfNlF3tcCn3CsKTpziPuiGjAEuxJNzZJg6Eu144XhW6E/Ke9lrirg lFtw==
X-Gm-Message-State: AO0yUKUUY2Xt1vai6r2qxWxrIkPbBLhEF0SKsDjLb61Yqkt5ReYs+Oaw MfcUkxtpNY7YlYPkfmsIlzjUoxMU8FHYep9jPYSkBzZ/LtFKPUUKgb/PG6NYnvTQAvOhlvSeBmP 1JDn2Vi3dOi3nVomWaHPa
X-Google-Smtp-Source: AK7set8/x6rCP9hTbevbzrE4bs6rukeGvvTDWfdXoAl5+ZJOPPwYlhneUH1R9q3AvD0ZfnzWODgLY0w5BnfS3BMMjKw=
X-Received: by 2002:a05:6a00:1151:b0:5a8:aaa1:6c05 with SMTP id b17-20020a056a00115100b005a8aaa16c05mr27548pfm.2.1678406299427; Thu, 09 Mar 2023 15:58:19 -0800 (PST)
MIME-Version: 1.0
References: <167835788054.48187.12188123736748073199@ietfa.amsl.com>
In-Reply-To: <167835788054.48187.12188123736748073199@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 09 Mar 2023 16:57:40 -0700
Message-ID: <CA+k3eCRMa3UgSnYZB9EDQtWcHkAWy_UxS1zft5VOijin8PvyHQ@mail.gmail.com>
To: Éric Vyncke <evyncke@cisco.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-client-cert-field@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, mnot@mnot.net
Content-Type: multipart/alternative; boundary="0000000000004492b105f6806b1c"
Received-SPF: pass client-ip=2607:f8b0:4864:20::42a; envelope-from=bcampbell@pingidentity.com; helo=mail-pf1-x42a.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=bcampbell@pingidentity.com domain=pingidentity.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1paQ9X-001IEV-4b 117f75be76bd0cbe2c0adf824a3e657f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Éric Vyncke's No Objection on draft-ietf-httpbis-client-cert-field-05: (with COMMENT)
Archived-At: <https://www.w3.org/mid/CA+k3eCRMa3UgSnYZB9EDQtWcHkAWy_UxS1zft5VOijin8PvyHQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/50825
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Thank you, Éric, for the review and ballot position. I've tried to reply to your comments as best I can inline below. On Thu, Mar 9, 2023 at 3:31 AM Éric Vyncke via Datatracker <noreply@ietf.org> wrote: > Éric Vyncke has entered the following ballot position for > draft-ietf-httpbis-client-cert-field-05: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-cert-field/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > # Éric Vyncke, INT AD, comments for draft-ietf-shmoo-hackathon-07 > Wrong draft? :) > CC @evyncke > > Thank you for the work put into this document. > > Please find below some non-blocking COMMENT points (but replies would be > appreciated even if only for my own education), and one nit. > > Special thanks to Mark Nottingham for the shepherd's detailed write-up > including the WG consensus *and* the WG discussion about the intended > status. > > I hope that this review helps to improve the document, > > Regards, > > -éric > > ## COMMENTS > > ### Use of normative BCP 14 language > > Yet another IETF draft using the normative BCP14 language in an informative > document. No need to reply, this use of normative language is becoming > usual > :-( but I wanted to point it out. > > ### Section 2.4 > > In > ```Any occurrence of the Client-Cert or Client-Cert-Chain header fields in > the > original incoming request MUST be removed or overwritten before forwarding > the > request. An incoming request that has a Client-Cert or Client-Cert-Chain > header > field MAY be rejected with an HTTP 400 response.``` shouldn't the last MAY > be a > SHOULD ? > The important requirement is the MUST in the first sentence remove or overwrite headers. Which is common practice (as far as I know) and meets the security needs. The MAY is only noting the option the TTRP has to reject such a request, which it may or may not want to do. MAY was intended here and seems appropriate. > > About deployment, how will the system work with a client sending those > headers > via a TTRP that does not support those headers (i.e., do not remove them)? > I > would have preferred a kind of signature of those headers by the TTRP so > the > the origin server trust them. I.e., how can the last paragraph of this > section > be enforced ? It is (too) briefly discussed in appendix B.1 (which should > be in > the security section). > The security considerations attempt to explain what's necessary in a deployment. Basically that a TTRP always sanitizes headers in requests and the origin is unreachable other than via the TTRP. And all server side participants have to support the headers/protocol. While appendix B.1 attempts to give some rationale for that being the approach to security. Honestly not sure what else meaningful I can say here. > ### Section 3.1 > > Suggest to qualify the owner the dynamic table in `increasing the size of > the > dynamic table` > The first part of that sentence does indicate the origin server as such, "An origin could mitigate the efficiency loss by increasing the size of the dynamic table." > > ### Deployment of TTRP farms > > Please accept my lack of knowledge in HTTP... two questions: > > 1) are those headers sent in *each* HTTP requests to the origin or only in > the > first one ? > The header(s) are sent in each request from TTRP to origin. > > 2) AFAIK, TLS termination can be shared among a TTRP farm by sharing the > TLS > states, should also the states for those headers be also shared among the > farm > members? > Those are (I think) implementation/deployment details of the TLS layer and honestly I'm out of my depth here but would assume client auth state would be shared too in such cases. > > ## NITS > > ### Section 2.1 > > Should quotes be used in `it will be sufficient to replace ---(BEGIN|END) > CERTIFICATE--- with :` ? > The literals are wrapped in a <code></code> tag in the HTML and HTMLized versions of the draft. ## Notes > > This review is in the ["IETF Comments" Markdown format][ICMF], You can use > the > [`ietf-comments` tool][ICT] to automatically convert this review into > individual GitHub issues. > > [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md > [ICT]: https://github.com/mnot/ietf-comments > > > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- Éric Vyncke's No Objection on draft-ietf-httpbis-… Éric Vyncke via Datatracker
- Re: Éric Vyncke's No Objection on draft-ietf-http… Julian Reschke
- Re: Éric Vyncke's No Objection on draft-ietf-http… Brian Campbell