Re: (Possibly duplicate mail) Suggesting /.well-known/alternative-services as compromise | Re: AD review of draft-ietf-httpbis-alt-svc-10

Barry Leiba <barryleiba@computer.org> Fri, 15 January 2016 19:12 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B695A1B318F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Jan 2016 11:12:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.281
X-Spam-Level:
X-Spam-Status: No, score=-6.281 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6_jIKFT5PRN for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Jan 2016 11:12:55 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 304C51B3191 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 Jan 2016 11:12:54 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aK9jL-0003HL-Gv for ietf-http-wg-dist@listhub.w3.org; Fri, 15 Jan 2016 19:08:15 +0000
Resent-Date: Fri, 15 Jan 2016 19:08:15 +0000
Resent-Message-Id: <E1aK9jL-0003HL-Gv@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <barryleiba@gmail.com>) id 1aK9jG-0003Ge-0t for ietf-http-wg@listhub.w3.org; Fri, 15 Jan 2016 19:08:10 +0000
Received: from mail-io0-f175.google.com ([209.85.223.175]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <barryleiba@gmail.com>) id 1aK9jE-0005Jk-Fc for ietf-http-wg@w3.org; Fri, 15 Jan 2016 19:08:09 +0000
Received: by mail-io0-f175.google.com with SMTP id g73so302557498ioe.3 for <ietf-http-wg@w3.org>; Fri, 15 Jan 2016 11:07:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=qOQgw4cfVxp7KMdznJEA5UV2Eu/6OGtQ/1fITVW7Rd8=; b=Al6uButV09+WEugRyuYMInB23BzvB5Vtz/QswUQ0Ju6wKqTl9SPdKBSN+fW2dy1J/h 3z3WbGKa8XKnw5FNAY4miJhlb4AamxzE5u3RbwOu+j+ceEeoOY5l9YGEyxGEKPk7gu5M yzNXodAJl1LsZ8uPko4gLYB5TZ70r5crMRkr/If+ZWTNsVhHNfIRVCV7Xg46B/SOcx5n 9YlelkSu7y3gLqj3G8ntO0v6LcSuDL2XZvtGz+HTgoy3SWOGIl5CFVlHv1BEQktRv6Ed q66G4Q/Z0I77lGidHKCmtiIQnW6TJ+PMwlG8WicGo+L+3JT/SOohlGx+RwVzVuLekOmA 9v2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=qOQgw4cfVxp7KMdznJEA5UV2Eu/6OGtQ/1fITVW7Rd8=; b=joAt+2oWpGh5dCIqbYp0UV92tY6EUgpCyK9wjltYeJjgt6ZlwHiNrB9H92yRRLEP8b Os8Ti/vVNi9s4UIH59KyfKT+edw9qQ3Kz/YdNK0yj5cjlYT2wLrfNwCnwr3cPTekJ+wk YPDRCq0zSr229gp6fxVjnm2oFRgLB9UlKB6/O4eYCY41VjzzGZTs8ubc7Ih07MORtwbv Q1QlyLHcLDoEgd5VDBb3MUFfM23qtvQE02+kDpKAF8lfEk3d0pE/D/9Z/P35ZrP7qk3Y XyH5kRkbUEGaxwvYZCCq/3oVj3oLFhod6dmZ9m2rTIWjLhgself8MOsdwx2fo+Kl9iGr G3sw==
X-Gm-Message-State: ALoCoQm7ka776fA8EsWSVqhNIhjgsMIzwFBdtesXqCTesiwKoPxOoMBwp9BBJXttN+XzEd4KMPQmpbP/mOmHaGq2o7PAURcJQA==
MIME-Version: 1.0
X-Received: by 10.107.12.22 with SMTP id w22mr14030862ioi.8.1452884862459; Fri, 15 Jan 2016 11:07:42 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.36.117.83 with HTTP; Fri, 15 Jan 2016 11:07:42 -0800 (PST)
In-Reply-To: <20160115174615.85DC62727@welho-filter4.welho.com>
References: <312E9853-E205-454C-8A71-487FDF357A8D@mnot.net> <20160115174615.85DC62727@welho-filter4.welho.com>
Date: Fri, 15 Jan 2016 14:07:42 -0500
X-Google-Sender-Auth: DfmO_L6aVKupvH62CxXBzNtrjSs
Message-ID: <CALaySJJRhZy5Ln60W_ckcYWMRKbjLJb6BvVV=wrJtYY_1wowLA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Cc: Mark Nottingham <mnot@mnot.net>, Mike Bishop <Michael.Bishop@microsoft.com>, "Julian F. Reschke" <julian.reschke@gmx.de>, "draft-ietf-httpbis-alt-svc@ietf.org" <draft-ietf-httpbis-alt-svc@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.223.175; envelope-from=barryleiba@gmail.com; helo=mail-io0-f175.google.com
X-W3C-Hub-Spam-Status: No, score=-7.7
X-W3C-Hub-Spam-Report: AWL=1.882, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1aK9jE-0005Jk-Fc 534d458459d2f28efdd4628d37e33dc3
X-Original-To: ietf-http-wg@w3.org
Subject: Re: (Possibly duplicate mail) Suggesting /.well-known/alternative-services as compromise | Re: AD review of draft-ietf-httpbis-alt-svc-10
Archived-At: <http://www.w3.org/mid/CALaySJJRhZy5Ln60W_ckcYWMRKbjLJb6BvVV=wrJtYY_1wowLA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30939
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> I think that this stops that attack if http client also checks
> /.well-known/alternative-services when alternative service
> does not provide strong auth. This of course adds additional delay
> before alternative service is used but does not affect case
> where alternative services is used for opportunistic security
> (I assume strong auth here and therefore
> GET /.well-known/alternative-services is not needed).

No, with opportunistic encryption you *don't* have strong auth --
that's part of what makes it opportunistic.

Barry