Re: Genart last call review of draft-ietf-httpbis-client-hints-13

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 07 May 2020 13:15 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA153A08AC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 7 May 2020 06:15:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Level:
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJhzIEFvT7OD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 7 May 2020 06:15:51 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BD0B3A08D2 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 7 May 2020 06:15:49 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jWgN2-0005jM-9A for ietf-http-wg-dist@listhub.w3.org; Thu, 07 May 2020 13:15:24 +0000
Resent-Date: Thu, 07 May 2020 13:15:24 +0000
Resent-Message-Id: <E1jWgN2-0005jM-9A@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <christer.holmberg@ericsson.com>) id 1jWgN0-0005iZ-1Y for ietf-http-wg@listhub.w3.org; Thu, 07 May 2020 13:15:22 +0000
Received: from mail-eopbgr00070.outbound.protection.outlook.com ([40.107.0.70] helo=EUR02-AM5-obe.outbound.protection.outlook.com) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <christer.holmberg@ericsson.com>) id 1jWgMx-0004wV-3D for ietf-http-wg@w3.org; Thu, 07 May 2020 13:15:21 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CEjrUsXNggcTkxZaZoqYaosSsPxjdzdYDyGyd3m/EzEqLii6CJRI3vD8D0I4rVJxsV2avr+aQL2RDf+DySPpv4hMDz4YbIuHgNjfZvUFErC7UbmF0TbpZW4l8m9HtOdOihcKRx7s59obzLixFt/JWO3t5PqTncAsEydSzsQDLKkLN1KtmMbWDR9mpvVCL97yU24aEWze2pi9YORZBIJShtLXkv8puPzpCDYmGT+6vYn4NH52rSYMsm3RU9gA9JcgyVqlcohwEZAnaZE4EcGcrQPd8d3i+1b4Hj0UndzhaecJDX5JVZOQ3zFj6KNDIGVO8lUQltjnkRySjI08h7cVZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QE/fXwC8YcOo+CayupXzDV/zT2yfT9G1RHTu+DySKiU=; b=IrlEcQaE3omrfpzSvDVp9ehTPedok3s9FKEidQoo5GoG7GiSJJSiSCukr/++9XfP//rZK9XftJ9KcJXmfRiQg+gjHoMda2Zj90hBZRw/aUMTrRXh20uea4H5YKoctLaxnawlDv4QXHCYj8MjE5k6nTOJro8VwzCXyB9Ixwv3FJyql7WAnktt1b4RRqfN7iNRczAE/d6V2tktzPHmcjwDq9s8QEQlIRtc7Ybm61dQdUEJegCAJTGpLcM4d58FMiD4WrHqjd/LPkiwqyEAMhFN8lZikjmCqWScBd7IX1q3TNNq//AEuJ9EnMsnt0MgDGE02/2BdyVH8vAVpRQJOMpCZA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QE/fXwC8YcOo+CayupXzDV/zT2yfT9G1RHTu+DySKiU=; b=pvW81+QRl+t5PtG8zRtKQ1kGG5uG8QdggP19T7lPQlmOERGLt/PI+a3RgLnzfVm1bhRI5JxCTLW+oz5gxht6N/HUYvy4shqUwN+FgHitNvmKai3MkeNUbQX/LL+yQqDGFJj4hgQZT+hiBcUWQppMtPXm0Z3neCb1iq/yY+gCdhA=
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com (2603:10a6:20b:1bc::19) by AM7PR07MB6532.eurprd07.prod.outlook.com (2603:10a6:20b:1aa::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.11; Thu, 7 May 2020 13:15:06 +0000
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::7529:b51f:5fb4:62b9]) by AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::7529:b51f:5fb4:62b9%5]) with mapi id 15.20.3000.011; Thu, 7 May 2020 13:15:06 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Yoav Weiss <yoav@yoav.ws>
CC: "gen-art@ietf.org" <gen-art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "draft-ietf-httpbis-client-hints.all@ietf.org" <draft-ietf-httpbis-client-hints.all@ietf.org>
Thread-Topic: Genart last call review of draft-ietf-httpbis-client-hints-13
Thread-Index: AQHWIq1DN+5hVq5QdEeND9cndeZ6bqiaCVcAgACrC4CAAIB9AP//190AgAFbEQCAAGgwAA==
Date: Thu, 7 May 2020 13:15:06 +0000
Message-ID: <BBB5F044-1C66-43F8-B412-ADD217A9A093@ericsson.com>
References: <158837305177.24719.21462684096579298@ietfa.amsl.com> <CACj=BEhNqVRxQagFmJ4sbXrn=YOWAYPBqODw_rL7MZbUDjNq5w@mail.gmail.com> <A2613BDC-7577-4BED-8AB5-4799973A1586@ericsson.com> <CACj=BEivQgTBrznaHjmdgOP+1O9fRR7xtX2m_u3JMV4eGfkqFQ@mail.gmail.com> <4243CEA9-67C6-4D3D-A554-9911847CA782@ericsson.com> <CACj=BEhXjntmamP_MMw6kkiXRwOX2B-j8-Ho6EJzPtwPQGoQaQ@mail.gmail.com> <CACj=BEjhnWAQV4Odo3P3yVpmTmVZg=bCgiJrzXE87mCjCzg_YA@mail.gmail.com>
In-Reply-To: <CACj=BEjhnWAQV4Odo3P3yVpmTmVZg=bCgiJrzXE87mCjCzg_YA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: yoav.ws; dkim=none (message not signed) header.d=none;yoav.ws; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [85.131.104.168]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c4d25e2e-db9a-4036-59b0-08d7f288a978
x-ms-traffictypediagnostic: AM7PR07MB6532:
x-microsoft-antispam-prvs: <AM7PR07MB653245DEF0795C1E019F70CD93A50@AM7PR07MB6532.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03965EFC76
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SWo8lEUqA8x3AnHUmM1wkVnbUQnGcr3A5B1Gm8/j3CJs+8l27cf2uqHJGEhdRHU3HFr0/W5DiY3WYXyM0FKN4Pcv0qTPACzh0pGzy8MRwzcylWhFxStbXF0sNasjg2NpzMUghqzMydIEMBOPfDm9iiBt3r5U+lfE2hu1+vTyFMc70jVjxIlOzx1sFb0QnfMnEwxq3CVMg3EbEftPhtHqs11rSAuOE6+QN7UwYfOyoEkQWCRuEKDjnG1zZi/JaMTFopSDY7vu3nYKouZi2x5aNTw2RU5mR+VZ4ANIUGjhsiYxtbcCbH0W6CCA/t8UqoeaCC6wDUXAPm0GbOxU6iFcwfPvDASur2ge7zVgxufFXBROhFF4QE4cOKh20bRd8Ymck0eFPn7PHmx8FRfFloEloyR8Qkw4lf2mJHR3zzUCv71ZmZqfPf7O898vgvo1l2nXhWfMwVHw2fpXjGybXJCMN4vAiQUQOSy9iVZgFR8yQd0LumIuaLeQiPSjsHoWR25Hmi+KRAQy9s7dx0yIwdAs8hmrJGJbDMyNq1f6q3TC7ZpXSEt0jBedwj5ywJM4k9z9w/bTQZaVTp5eWtDmN88pS1yA4qiQYKMrYemy/nYXmJ0=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM7PR07MB7012.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(396003)(366004)(136003)(376002)(39860400002)(346002)(33430700001)(6486002)(44832011)(76116006)(66574014)(83080400001)(166002)(33440700001)(2616005)(6916009)(6512007)(86362001)(66556008)(64756008)(66476007)(83300400001)(71200400001)(83320400001)(83280400001)(83310400001)(4326008)(83290400001)(66446008)(66946007)(36756003)(316002)(53546011)(966005)(54906003)(5660300002)(6506007)(186003)(478600001)(91956017)(8936002)(2906002)(8676002)(33656002)(26005);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata: JC7D/kcKdxDDGSHBIdHYoPyF9DHhfbVOXfPTdv2aE900KVsmp1SqDcYpoo/Apm3xe4LjPQsKuoh5PWaO0mmJPgG1Bmd8p28kQQ9wdm0Ln1tHv1oxI3kBKsIwHPPFSJkIV2BfoxrGGgM8zFFG66mKcmhR1pBOLiobf2DBcVKdv52pT3wpzImSv6lfFXxYn7tr+/S/6y4TFBZAyFvQZv1UKS4vdKFEye+QW0GkbNa6jcnZdGFaBXFvYFdnn9qWo/jxxZyKfdqa7b5R3+GS3MXNrBbcKu8qOagaRzA8TPo7LRvvUjJQgxaU48FyUlsmkrTQUz1Eo+0h8aVN60M1XwJK3xpUkecbusuN99egl5dMIfPFs6gajE4X1W/Ls6896jEf9jw/jbDoUs0THlDQrqfLsla8GJ9I0sCSrZnLU0xB35U62u5P9yTUBVxQnEqyhtI/BCJ8sEkKSF4yrqPUsgLKJCCUTcQgALgIaARK0izC34dSbqmdX45m9/ZRrbIoOtQm2Y+mIG/EPhBG1P13g6Pqqd5zWarkQ8V5BA+EQgy44qt7aBiWq6KxvBKlwoSgkLfmEeY9bGR5f8bA/1xMtVXA/J48n1CPcOMvs4fSsuparD24EN1Y2N3R9Q1UfewWy6gUMmn7JBRN8z79O2tfbKBNsXOKCbKZtjv19yVLFA8XZFsOyVFJEomWUVHMP2E+YDqQbpC+/yvwHvoMpnOJuu/E9iI2131zKls8l2Kb5P4mftnVz18i9+NMdvHkBB1R8D7iqGH+Hrh1O/MMzCxdM8RMknw1lXfCKqDnHK0SFCTer9o=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BBB5F0441C6643F8B412ADD217A9A093ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c4d25e2e-db9a-4036-59b0-08d7f288a978
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 May 2020 13:15:06.7820 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EUPve+Ph14jHSLJ7eAVzMuoRZb1OxC/7ipMcnSPvprkal6h8yrZA+e4yR4AM1zLaoXPvfrj6bIpinq9OYrq2wTqedDrqpl8O8dgPzTJ2UvM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6532
Received-SPF: pass client-ip=40.107.0.70; envelope-from=christer.holmberg@ericsson.com; helo=EUR02-AM5-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-4.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jWgMx-0004wV-3D e8b47de7caf05d1a08cfefef81feef67
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Genart last call review of draft-ietf-httpbis-client-hints-13
Archived-At: <https://www.w3.org/mid/BBB5F044-1C66-43F8-B412-ADD217A9A093@ericsson.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37587
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi,

The PR looks good to me! Thanks for addressing my issues! :)

Regards,

Christer

From: Yoav Weiss <yoav@yoav.ws>
Date: Thursday, 7 May 2020 at 13.02
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: "gen-art@ietf.org" <gen-art@ietf.org>rg>, "last-call@ietf.org" <last-call@ietf.org>rg>, HTTP Group <ietf-http-wg@w3.org>rg>, "draft-ietf-httpbis-client-hints.all@ietf.org" <draft-ietf-httpbis-client-hints.all@ietf.org>
Subject: Re: Genart last call review of draft-ietf-httpbis-client-hints-13

Addressed the latest points in the PR. Thanks! :)

On Wed, May 6, 2020 at 3:20 PM Yoav Weiss <yoav@yoav.ws<mailto:yoav@yoav.ws>> wrote:


On Wed, May 6, 2020 at 2:43 PM Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote:
Hi Yoav,

>> I have not received the pull request yet, so I will comment only based on your e-mail reply :)
>
> Apologies for the delay. PR is now up at https://protect2.fireeye.com/v1/url?k=0a42e34e-54e25920-0a42a3d5-
> 869a14f4b08c-11c3f32cbd74f2f2&q=1&e=978d85da-fab3-4523-a8d9-447aa6bdf056&u=https://github.com/httpwg/http-extensions/pull/1171<https://protect2.fireeye.com/v1/url?k=6272da56-3cd23ac2-62729acd-86d2114eab2f-315dfc5e8e3bb7de&q=1&e=7281b4e2-8b12-45aa-b9cc-269841f1ac96&u=https%3A%2F%2Fgithub.com%2Fhttpwg%2Fhttp-extensions%2Fpull%2F1171>

Thanks!

I think it looks ok.

BTW, are high-entropy and low-entropy defined and well-known HTTP terms?

I'm not sure. The browser processing model defines a list of low-entropy CH headers: https://wicg.github.io/client-hints-infrastructure/#low-entropy-table<https://protect2.fireeye.com/v1/url?k=6a29e40a-3489049e-6a29a491-86d2114eab2f-5ccf1f3eadf9c7d7&q=1&e=7281b4e2-8b12-45aa-b9cc-269841f1ac96&u=https%3A%2F%2Fwicg.github.io%2Fclient-hints-infrastructure%2F%23low-entropy-table>
I could point at that.


---

MaQ3:

>>>> Related to MaQ2, what happens if a server receives hints that it does not
>>>> understand, or does not support?
>>>
>>> Servers SHOULD ignore hints they do not understand or do not support.
>>
>> Is there are reason for not using MUST? SHOULD typically means MUST-unless-X. What would X be?
>>
>> Is there a way for the server to indicate to the client that it did not understand/support the hints? Whatever the answer, I think it would be good to have some text about that.
>
> There's no such a mechanism, similar to other request headers.
> Do you have sample text in mind that may make that point clearer?

Maybe just a note pointing out that there is no mechanism for a server to inform a client whether it understands and supports the hints.

---

Minor issues:

MiQ1:

>>> Section 1 described that proactive content negotiation allows servers to
>>> silently fingerprint the user agent.
>>>
>>> But, later in the Section it is described that Client Hints also allow a server
>>> the perform fingerprinting, and the Security Considerations also say that there
>>> is really no difference.
>>>
>>> So, does Section 1 need to talk about fingerprinting at all?
>>
>> Section 1 describes the fact that traditional (read: pre-Client Hints) content negotiation methods relied on sending information to all servers, which enabled passive fingerprinting,
>> and how Client Hints breaks away from that paradigm, by only sending (high entropy) hints when the server needs them and opts-in to receive them.
>>
>> A server can request the hints even if it doesn't "need" them, but it wants to do fingerprinting. The client does not know what the server will do with the information.
>>
>> My point is that the reader should not get an impression that client hints somehow prevents fingerprinting. It doesn't. The only difference is that the server has to ask for the information.
>
> Current draft includes " Client Hints mitigate ... privacy concerns of passive fingerprinting by requiring explicit opt-in and disclosure of
> required headers by the server through the use of the Accept-CH response header."
> Should that be clearer?

Yes, I think it is better.

-------

Regards,

Christer