IETF Logo Mail Archive

Re: SNI Extension for Alt-Svc

Martin Thomson <martin.thomson@gmail.com> Fri, 01 December 2017 04:32 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9B92126D74 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 30 Nov 2017 20:32:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.489
X-Spam-Level:
X-Spam-Status: No, score=-6.489 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D4ltm-7u7q3w for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 30 Nov 2017 20:32:03 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 714121241F5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 30 Nov 2017 20:32:03 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1eKcrD-0005AY-Ic for ietf-http-wg-dist@listhub.w3.org; Fri, 01 Dec 2017 04:23:23 +0000
Resent-Date: Fri, 01 Dec 2017 04:23:23 +0000
Resent-Message-Id: <E1eKcrD-0005AY-Ic@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <martin.thomson@gmail.com>) id 1eKcqy-00059f-00 for ietf-http-wg@listhub.w3.org; Fri, 01 Dec 2017 04:23:08 +0000
Received: from mail-ot0-f170.google.com ([74.125.82.170]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <martin.thomson@gmail.com>) id 1eKcqu-0005Yw-2U for ietf-http-wg@w3.org; Fri, 01 Dec 2017 04:23:07 +0000
Received: by mail-ot0-f170.google.com with SMTP id d27so8076996ote.11 for <ietf-http-wg@w3.org>; Thu, 30 Nov 2017 20:22:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dDkYsVpNQqy1dq1BAcDidgNA0lEO2moz4AWIa1UGx1I=; b=WprCL2L1qd94puUB8oQM7voGuyX6f29yII9+hlT7IcUNOiSgAf4nCZeGd/9ki2nmU1 mD/EUVW6nwR1H/EaPz6RyjOT4yItE5CvuXt2HPq56CZf7kj2I8k/VEnzhHaqdJ85O1xz wSaRRwfeWCCnbjNc8Eh7GritmVcu94cnuG27DjsGaLgtgGaIOpJ7ePOyQwyIgrJJ6jNx FtKxQSk1OXpAspPWmbADkkYrtWSpNuNVK1zDUzSglzAt3MOCuIW+UhVuCeYFi9xEf+sh n1Q6ZEUKnh+BUQDdLpulxUlFj7W9neCEwggsUWCd+FI8p7PgAz1y8YFkRyvKuAzKixVn jBsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dDkYsVpNQqy1dq1BAcDidgNA0lEO2moz4AWIa1UGx1I=; b=p6AjCTkWI4CFrC7GnHDCBpzl0d0V+UiSd/fX54zHe6yawjO0+w07hCAMOpeTgQgLfl nsve5UOfqsj2MeszcaKJMtIhcYyRKW42xUifqmpojYzy8HrQuOufLXYlk3ySIoz5GUrq wFz2Ns6HbF+asClEl7QjOjYRfYmx6zN1mHFsN9T9PO/6BS0Dz4NrIEd/9yf8qGnK5rkH FPTcvL8LMhabj+rLZAZbXgiDvorPkUZ6UKXUwVGX0RhIQ2Ol5OQjFwCgSwRY9WUOjIFg S08agYGarfjZU5OruqqhmEP6I7IXCRStvbBJGEYeTXQ1bzfZQcRlzTpKs4qt2KAzCzfl PFvA==
X-Gm-Message-State: AJaThX7e1GQhSyGfhDc56n/IrRLS0F56jcXPsvlMdTqljJUPMYVwiVFa el0FyEzd8LntLtzTlBEbrfIAbSAVCqEhxBLIfmybGw==
X-Google-Smtp-Source: AGs4zMbYBdU+lIv5BCNFAJDb08/R2MPQJPWCFqLd5ahrxt0eJDtlrdmbJ86EaMDQaWklmRY4Na7EwZj1ffDVrQkXq0s=
X-Received: by 10.157.69.65 with SMTP id p1mr7288180oti.93.1512102162896; Thu, 30 Nov 2017 20:22:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.8.11 with HTTP; Thu, 30 Nov 2017 20:22:42 -0800 (PST)
In-Reply-To: <CABkgnnWQQttpgpYWu7iqSHgAz82oo+qZ2qiRx3RNmBbChn=KaA@mail.gmail.com>
References: <MWHPR08MB243210349ABEB2B0E48123E0DA380@MWHPR08MB2432.namprd08.prod.outlook.com> <CABkgnnWQQttpgpYWu7iqSHgAz82oo+qZ2qiRx3RNmBbChn=KaA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 01 Dec 2017 15:22:42 +1100
Message-ID: <CABkgnnXPCcQn3wBW9fSqEncozaR=WA-bNA0FEP-xsDAiKiVDcg@mail.gmail.com>
To: Mike Bishop <mbishop@evequefou.be>
Cc: Lucas Pardue <Lucas.Pardue@bbc.co.uk>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
Content-Type: multipart/alternative; boundary="f403043e3d18489d3b055f3fb8c5"
Received-SPF: pass client-ip=74.125.82.170; envelope-from=martin.thomson@gmail.com; helo=mail-ot0-f170.google.com
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: AWL=-0.137, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1eKcqu-0005Yw-2U 07d5d0bc6a84717014727bf01c62b35b
X-Original-To: ietf-http-wg@w3.org
Subject: Re: SNI Extension for Alt-Svc
Archived-At: <https://www.w3.org/mid/CABkgnnXPCcQn3wBW9fSqEncozaR=WA-bNA0FEP-xsDAiKiVDcg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/34902
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

One thought that has been bugging me.  This doesn't seem to do anything for
the bootstrapping scenario.  At least, not any more than the secondary
certs on its own does.  Was I missing something?

On Fri, Dec 1, 2017 at 11:26 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> Hi Mike,
>
> Interesting idea.
>
> How would you imagine this interacting with a client's TLS session cache?
> Specifying unique SNI values that contain encrypted information is
> interesting, but you want to ensure that the TLS session cache for the
> hostname is not used or you could get linkability based on the value of a
> session ID or session ticket.
>
> Also, I think that it would be good to have some sort of commitment to TLS
> 1.3 support.  Then you could rely on the server certificate being
> protected.  I don't want to have to rely on secondary certificates and the
> associated delays.  This seems like it could be a reasonable alternative to
> the secondary certificates work.
>
>
> On Fri, Dec 1, 2017 at 4:56 AM, Mike Bishop <mbishop@evequefou.be> wrote:
>
>> I was already planning to spin up a thread on that draft today, so thanks
>> for deciding what I'm doing next today!  😉  Forking a separate thread.
>>
>>
>>
>> WG, https://tools.ietf.org/html/draft-bishop-httpbis-sni-altsvc-00
>> proposes a new parameter for Alt-Svc suggesting that a client use a
>> different (presumably generic) hostname in the TLS SNI extension, and
>> instead gain Alt-Svc "reasonable assurances" by requesting the origin's
>> certificate via Secondary Certificates (which is currently under Call for
>> Adoption).  It gives a solution, albeit HTTP-specific, to SNI privacy by
>> providing a discoverability path for which generic hostname can be used to
>> reach a more sensitive origin under encryption.
>>
>>
>>
>> As to the frame reference, I intentionally didn't reference which
>> protocol, in part because Alt-Svc itself says it can be carried by various
>> mechanisms and the definition of an Alt-Svc extension doesn't need to get
>> into that layer.  The Alt-Svc frame for HTTP/QUIC is specified by
>> https://tools.ietf.org/html/draft-bishop-httpbis-altsvc-quic-00.  While
>> frames are present in both HTTP/2 and HTTP/QUIC, I don't think that makes
>> frames a generic HTTP concept -- it's a property of certain mappings, and
>> specified individually in each of them.
>>
>>
>>
>> -----Original Message-----
>> From: Lucas Pardue [mailto:Lucas.Pardue@bbc.co.uk]
>> Sent: Thursday, November 30, 2017 2:13 AM
>> To: Mike Bishop <mbishop@evequefou.be>; ilariliusvaara@welho.com
>> Cc: Mark Nottingham <mnot@mnot.net>; HTTP Working Group <
>> ietf-http-wg@w3.org>; Patrick McManus <mcmanus@ducksong.com>
>> Subject: RE: DRAFT: more details for HTTPtre
>>
>>
>>
>> Hi Mike,
>>
>>
>>
>> The connection coalescing case is interesting as it's not currently
>> described in HTTP/QUIC. Presumably by oversight or time constraint rather
>> than intent. (We've got a ticket open tracking that one.)
>>
>>
>>
>> Changing track, I've just seen your SNI I-D
>>
>> https://tools.ietf.org/html/draft-bishop-httpbis-sni-altsvc-00
>>
>>
>>
>> References to Frames don't state a specific mapping (HTTP/2 or
>> HTTP/QUIC). Reading between the lines this seems intentional, which got me
>> thinking that also Frames could be described as a new HTTP semantic for
>> binary-capable wire formats.
>>
>>
>>
>> Lucas
>>
>> ________________________________________
>>
>> From: Mike Bishop [mbishop@evequefou.be]
>>
>> Sent: 28 November 2017 18:32
>>
>> To: Lucas Pardue; ilariliusvaara@welho.com
>>
>> Cc: Mark Nottingham; HTTP Working Group; Patrick McManus
>>
>> Subject: RE: DRAFT: more details for HTTPtre
>>
>>
>>
>> I agree that HPACK is largely decouplable from HTTP/2, or HTTP.  The core
>> of the protocol is a general-purpose compression algorithm for streaming
>> key-value dictionaries, rather than straight text.  The pieces that bind it
>> to H2 are incidental, and perhaps we could have structured it differently.
>>
>>
>>
>> Coalescing isn't a new semantic -- each HTTP mapping defines how
>> parallelism and connection reuse should work in that mapping.  HTTP/2
>> simply happens to define it more expansively than HTTP/1.1.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> -----------------------------
>>
>> http://www.bbc.co.uk
>>
>> This e-mail (and any attachments) is confidential and may contain
>> personal views which are not the views of the BBC unless specifically
>> stated.
>>
>> If you have received it in
>>
>> error, please delete it from your system.
>>
>> Do not use, copy or disclose the
>>
>> information in any way nor act in reliance on it and notify the sender
>> immediately.
>>
>> Please note that the BBC monitors e-mails sent or received.
>>
>> Further communication will signify your consent to this.
>>
>> -----------------------------
>>
>
>

v2.23.0 | Report a Bug | By Email