SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

Kari Hurtta <hurtta-ietf@elmme-mailer.org> Wed, 05 October 2016 04:56 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78128128874 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 4 Oct 2016 21:56:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.917
X-Spam-Level:
X-Spam-Status: No, score=-9.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8methp8PgnDZ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 4 Oct 2016 21:56:32 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DCFF1294FE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 4 Oct 2016 21:56:29 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1breBz-0003FI-8M for ietf-http-wg-dist@listhub.w3.org; Wed, 05 Oct 2016 04:52:31 +0000
Resent-Date: Wed, 05 Oct 2016 04:52:31 +0000
Resent-Message-Id: <E1breBz-0003FI-8M@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <hurtta@siilo.fmi.fi>) id 1breBx-0003EB-Kp for ietf-http-wg@listhub.w3.org; Wed, 05 Oct 2016 04:52:29 +0000
Received: from smtpvgate.fmi.fi ([193.166.223.36]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <hurtta@siilo.fmi.fi>) id 1breBs-0004Ko-P9 for ietf-http-wg@w3.org; Wed, 05 Oct 2016 04:52:28 +0000
Received: from torkku.fmi.fi (torkku.fmi.fi [193.166.211.55]) (envelope-from hurtta@siilo.fmi.fi) by smtpVgate.fmi.fi (8.13.8/8.13.8/smtpgate-20160114/smtpVgate) with ESMTP id u954pps0007726 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 5 Oct 2016 07:51:51 +0300
Received: from shell.siilo.fmi.fi by torkku.fmi.fi with ESMTP id u954pp6I006780 ; Wed, 5 Oct 2016 07:51:51 +0300
Received: from shell.siilo.fmi.fi ([127.0.0.1]) by shell.siilo.fmi.fi with ESMTP id u954ppr5003644 ; Wed, 5 Oct 2016 07:51:51 +0300
Received: by shell.siilo.fmi.fi id u954pomK003643; Wed, 5 Oct 2016 07:51:50 +0300
Message-Id: <201610050451.u954pomK003643@shell.siilo.fmi.fi>
In-Reply-To: <BN6PR03MB27082C2CF4DC3F8F82354FDE87C50@BN6PR03MB2708.namprd03.prod.outlook.com>
References: <20161004160321.DFB4C111E5@welho-filter1.welho.com> <BN6PR03MB27082C2CF4DC3F8F82354FDE87C50@BN6PR03MB2708.namprd03.prod.outlook.com>
To: Mike Bishop <Michael.Bishop@microsoft.com>
Date: Wed, 5 Oct 2016 07:51:50 +0300 (EEST)
Sender: hurtta@siilo.fmi.fi
From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
CC: Kari hurtta <hurtta-ietf@elmme-mailer.org>, HTTP working group mailing list <ietf-http-wg@w3.org>
Reply-To: Kari Hurtta <khurtta@welho.com>
X-Mailer: ELM [version ME+ 2.5 PLalpha41]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
X-Filter: smtpVgate.fmi.fi: 3 received headers rewritten with id 20161005/24384/01
X-Filter: smtpVgate.fmi.fi: ID 24384/01, 1 parts scanned for known viruses
X-Filter: torkku: ID 5966/01, 1 parts scanned for known viruses
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (smtpVgate.fmi.fi [193.166.223.36]); Wed, 05 Oct 2016 07:51:51 +0300 (EEST)
Received-SPF: none client-ip=193.166.223.36; envelope-from=hurtta@siilo.fmi.fi; helo=smtpVgate.fmi.fi
X-W3C-Hub-Spam-Status: No, score=-6.7
X-W3C-Hub-Spam-Report: AWL=-0.181, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.64, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1breBs-0004Ko-P9 5d860ed3307178f5fa6adb08f521dff6
X-Original-To: ietf-http-wg@w3.org
Subject: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Archived-At: <http://www.w3.org/mid/201610050451.u954pomK003643@shell.siilo.fmi.fi>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32475
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Mike Bishop <Michael.Bishop@microsoft.com>om>: (Tue Oct  4 20:38:45 2016)

> Taking a step back, what is the list of ports actually buying us now?  The port can be obtained by the client from the Alt-Svc header.  The fact that the port is legitimate and not hijacked is verified by finding that it has a certificate.  What we're actually confirming is that the origin supports mixed schemes.  The lifetime is already present in the Alt-Svc advertisement, and I haven't heard a compelling reason to have a separate lifetime.  Should we just define SETTINGS_MIXED_SCHEME_PERMITTED and call it a day?

Hmm.

SETTINGS_MIXED_SCHEME_PERMITTED is per connection. I assume that HTTP/2
server sends it on SETTINGS frame to HTTP/2 client (similar than what
I contemplated for SETTINGS_WEBSOCKET_CAPABLE at
https://lists.w3.org/Archives/Public/ietf-http-wg/2016OctDec/0033.html )

http-opportunistic response tells here that given port for that
origin handles http -scheme when sent via TLS. 

connection apply probably for several origins. TLS connection
may be terminated by reverse proxy. And different origins
are served by different processes or servers behind of
reverse proxy.

I guess that SETTINGS_MIXED_SCHEME_PERMITTED is too wide.

"tls-ports"  should perhaps now be "mixed-scheme-listeners" 
giving [ "alternative-server:port" ].

/ Kari Hurtta