Stephen Farrell's Discuss on draft-ietf-httpbis-tunnel-protocol-04: (with DISCUSS and COMMENT)
"Stephen Farrell" <stephen.farrell@cs.tcd.ie> Mon, 08 June 2015 13:05 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33E701A86EB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 8 Jun 2015 06:05:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H0gEg8Cx2sud for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 8 Jun 2015 06:05:38 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 250CA1A86EA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 8 Jun 2015 06:05:38 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Z1wgv-0004kE-Vz for ietf-http-wg-dist@listhub.w3.org; Mon, 08 Jun 2015 13:02:14 +0000
Resent-Date: Mon, 08 Jun 2015 13:02:13 +0000
Resent-Message-Id: <E1Z1wgv-0004kE-Vz@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1Z1wgp-0004i4-Rc for ietf-http-wg@listhub.w3.org; Mon, 08 Jun 2015 13:02:07 +0000
Received: from mail.ietf.org ([4.31.198.44]) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1Z1wgo-00009V-19 for ietf-http-wg@w3.org; Mon, 08 Jun 2015 13:02:07 +0000
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4DCA1A8032; Mon, 8 Jun 2015 06:01:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnJpmSymrE9D; Mon, 8 Jun 2015 06:01:35 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E5C0B1A702B; Mon, 8 Jun 2015 06:01:35 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: The IESG <iesg@ietf.org>
Cc: httpbis-chairs@ietf.org, mnot@mnot.net, draft-ietf-httpbis-tunnel-protocol.shepherd@ietf.org, draft-ietf-httpbis-tunnel-protocol.ad@ietf.org, draft-ietf-httpbis-tunnel-protocol@ietf.org, ietf-http-wg@w3.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.3.p2
Auto-Submitted: auto-generated
Message-ID: <20150608130135.22475.59784.idtracker@ietfa.amsl.com>
Date: Mon, 08 Jun 2015 06:01:35 -0700
Received-SPF: none client-ip=4.31.198.44; envelope-from=stephen.farrell@cs.tcd.ie; helo=mail.ietf.org
X-W3C-Hub-Spam-Status: No, score=-9.0
X-W3C-Hub-Spam-Report: AWL=3.899, BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1Z1wgo-00009V-19 56d82db1c5aeda04acc8e0cb57f91c0b
X-Original-To: ietf-http-wg@w3.org
Subject: Stephen Farrell's Discuss on draft-ietf-httpbis-tunnel-protocol-04: (with DISCUSS and COMMENT)
Archived-At: <http://www.w3.org/mid/20150608130135.22475.59784.idtracker@ietfa.amsl.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29697
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Stephen Farrell has entered the following ballot position for draft-ietf-httpbis-tunnel-protocol-04: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-httpbis-tunnel-protocol/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I think this should be an easy discuss but is needed. RFC 7301 says: Care must be taken when such identifiers may leak personally identifiable information, or when such leakage may lead to profiling or to leaking of sensitive information. If any of these apply to this new protocol identifier, the identifier SHOULD NOT be used in TLS configurations where it would be visible in the clear, and documents specifying such protocol identifiers SHOULD recommend against such unsafe use. That last sentence seems to imply that you ought replicate such guidance here. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- - I can see situations where I might want to not tell the proxy what protocol I'll be using inside TLS and when TLS1.3 hides ALPM from the proxy (I hope:-) then could there be value registering a "I'm not telling" ALPN value so that a UA wouldn't have to lie to the proxy? - I think you ought say what you expect a proxy to do if the ALPN header field and the ALPN TLS extension value do not match and I think that ought say that a CONNECT recipient in such cases SHOULD NOT drop the connection solely on that basis. If they have some policy about it fine, but they shouldn't barf just because there's a different order or spelling or just a different value. - Replicating values at multiple protocol layers produces a common failure mode where code only uses one copy to do access control or authorization or where two nodes in sequence use different copies, with unexpected behaviour resulting. I think you should call that out in the security considerations section as it keeps happening.
- Stephen Farrell's Discuss on draft-ietf-httpbis-t… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Mark Nottingham
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Martin Thomson
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Amos Jeffries
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Adrien de Croy
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Mark Nottingham
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Barry Leiba
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Martin Thomson
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Spencer Dawkins at IETF