RE: (Possibly duplicate mail) Suggesting /.well-known/alternative-services as compromise | Re: AD review of draft-ietf-httpbis-alt-svc-10

Mike Bishop <> Fri, 15 January 2016 19:13 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 327DC1B3195 for <>; Fri, 15 Jan 2016 11:13:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4M08ZkSPXAOf for <>; Fri, 15 Jan 2016 11:13:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 34C281B318F for <>; Fri, 15 Jan 2016 11:13:48 -0800 (PST)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1aK9m9-00052D-3j for; Fri, 15 Jan 2016 19:11:09 +0000
Resent-Date: Fri, 15 Jan 2016 19:11:09 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1aK9m4-00051S-7n for; Fri, 15 Jan 2016 19:11:04 +0000
Received: from ([] by with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <>) id 1aK9m2-0004rm-58 for; Fri, 15 Jan 2016 19:11:03 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=x5MM3+A32x89l+UWc4j4GX6NPWrRANo2wQpaearr7TE=; b=JzjpGA2KxihqyqC2h90++IygyyUq7eMP4SGGrf/cnomQmOQbvCcxSB9GNXMmdX4pvr0A4VBDaoUxA4tHcUtyZ2rgw7qjKd4EQfepMxdCUtcuDfXaQ6G1nlP8bp2s5bScB6p7880xYuj48DvfEJOvlVhrdMf4lCXBBSPzI8nBMbM=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.365.19; Fri, 15 Jan 2016 19:10:33 +0000
Received: from ([]) by ([]) with mapi id 15.01.0365.023; Fri, 15 Jan 2016 19:10:34 +0000
From: Mike Bishop <>
To: Barry Leiba <>, Kari Hurtta <>
CC: Mark Nottingham <>, "Julian F. Reschke" <>, "" <>, HTTP Working Group <>, Stephen Farrell <>
Thread-Topic: (Possibly duplicate mail) Suggesting /.well-known/alternative-services as compromise | Re: AD review of draft-ietf-httpbis-alt-svc-10
Date: Fri, 15 Jan 2016 19:10:33 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 112378a6-a70e-4ffd-65f7-08d31ddf8b43
x-microsoft-exchange-diagnostics: 1; CY1PR03MB1373; 5:DnmJzjlYp4yXs9ebzlFWCZBY4bZ4LdSKdPscO9wZc/VLhbJBNh4xVpvC/tHD6RTZhq5YZbryLYPwUS0t/J6a1q/rPu7F6Qz8cACKzB2YPgsY7fifusgnMgpKFuHTXtAhgd+VAe/VMkQsRGT/pz7mDA==; 24:doO4o9AJ1sOIwqc1tqjV4Lt70f2IDiX5rlZGkW7fAf4pOOemZYR2STCZD7YcsLCpfaSNqDzsjueMHHMZn2TETAZL2UjbYBn3mYt5BRvTroY=
x-exchange-antispam-report-test: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB1373; UriScan:(32856632585715);
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(520078)(5005006)(10201501046)(3002001)(61426038)(61427038); SRVR:CY1PR03MB1373; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB1373;
x-forefront-prvs: 08220FA8D6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(51444003)(377454003)(199003)(189002)(97736004)(99286002)(74316001)(106356001)(76176999)(54356999)(50986999)(106116001)(87936001)(33656002)(101416001)(19580395003)(86612001)(105586002)(230783001)(19580405001)(86362001)(77096005)(5003600100002)(92566002)(4326007)(10090500001)(81156007)(122556002)(5001770100001)(5008740100001)(2900100001)(10400500002)(8990500004)(1220700001)(5004730100002)(1096002)(2950100001)(189998001)(102836003)(3846002)(2906002)(10290500002)(76576001)(5001960100002)(66066001)(6116002)(5005710100001)(5002640100001)(586003)(40100003)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR03MB1373;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jan 2016 19:10:33.8859 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB1373
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: AWL=-2.567, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: 1aK9m2-0004rm-58 310f193ec9355e6be41c897e8459e893
Subject: RE: (Possibly duplicate mail) Suggesting /.well-known/alternative-services as compromise | Re: AD review of draft-ietf-httpbis-alt-svc-10
Archived-At: <>
X-Mailing-List: <> archive/latest/30940
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

But on the other hand, a publisher who wanted to enable opportunistic could publish /.well-known/alternative-services easily enough.

In that it closes the ability for one resource owner to claim authority over the entire machine, I like it.  It seems like a reasonable middle ground between always requiring strong auth and leaving things totally open.  A more effective middle ground than looking at port numbers, certainly.

-----Original Message-----
From: [] On Behalf Of Barry Leiba
Sent: Friday, January 15, 2016 11:08 AM
To: Kari Hurtta <>
Cc: Mark Nottingham <>; Mike Bishop <>; Julian F. Reschke <>;; HTTP Working Group <>; Stephen Farrell <>
Subject: Re: (Possibly duplicate mail) Suggesting /.well-known/alternative-services as compromise | Re: AD review of draft-ietf-httpbis-alt-svc-10

> I think that this stops that attack if http client also checks 
> /.well-known/alternative-services when alternative service does not 
> provide strong auth. This of course adds additional delay before 
> alternative service is used but does not affect case where alternative 
> services is used for opportunistic security (I assume strong auth here 
> and therefore GET /.well-known/alternative-services is not needed).

No, with opportunistic encryption you *don't* have strong auth -- that's part of what makes it opportunistic.