Re: ID for Immutable

Alex Rousskov <rousskov@measurement-factory.com> Fri, 28 October 2016 18:17 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1A1712941C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 28 Oct 2016 11:17:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.352
X-Spam-Level:
X-Spam-Status: No, score=-7.352 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IWLZX1keih1w for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 28 Oct 2016 11:17:31 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2B13129593 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 28 Oct 2016 11:17:31 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1c0Beu-0003Az-Fm for ietf-http-wg-dist@listhub.w3.org; Fri, 28 Oct 2016 18:13:40 +0000
Resent-Date: Fri, 28 Oct 2016 18:13:40 +0000
Resent-Message-Id: <E1c0Beu-0003Az-Fm@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <rousskov@measurement-factory.com>) id 1c0Bep-00039T-Ps for ietf-http-wg@listhub.w3.org; Fri, 28 Oct 2016 18:13:35 +0000
Received: from mail.measurement-factory.com ([104.237.131.42]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <rousskov@measurement-factory.com>) id 1c0Bej-0003ax-Ur for ietf-http-wg@w3.org; Fri, 28 Oct 2016 18:13:30 +0000
Received: from [65.102.233.169] (unknown [65.102.233.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.measurement-factory.com (Postfix) with ESMTPSA id 76C2AE057; Fri, 28 Oct 2016 18:13:07 +0000 (UTC)
To: Patrick McManus <pmcmanus@mozilla.com>
References: <CAOdDvNqam930_0eA1p3yHW+xDdOm0AAMKvVKe6xwNwm1itpRpQ@mail.gmail.com> <f9f0e413-1fbb-1faa-833b-5dc7d7ea1fdc@measurement-factory.com> <CAOdDvNqTabR3zpRgjJVkBPdBVcOboCbG=5b6x+mKauwB1-w=Pw@mail.gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
From: Alex Rousskov <rousskov@measurement-factory.com>
Message-ID: <e62c65c8-6366-5b76-491b-47cba7cbbd6b@measurement-factory.com>
Date: Fri, 28 Oct 2016 12:12:55 -0600
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CAOdDvNqTabR3zpRgjJVkBPdBVcOboCbG=5b6x+mKauwB1-w=Pw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=104.237.131.42; envelope-from=rousskov@measurement-factory.com; helo=mail.measurement-factory.com
X-W3C-Hub-Spam-Status: No, score=-6.0
X-W3C-Hub-Spam-Report: AWL=-0.632, BAYES_00=-1.9, RP_MATCHES_RCVD=-1.418, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1c0Bej-0003ax-Ur 00988571d2ce166889f3fed22686147c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: ID for Immutable
Archived-At: <http://www.w3.org/mid/e62c65c8-6366-5b76-491b-47cba7cbbd6b@measurement-factory.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32715
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 10/28/2016 11:21 AM, Patrick McManus wrote:
> I do believe the lack of integrity protection in plaintext transfer is
> an important security consideration for immutable that suggests they
> should not be used together. I'm open to other wording on it for sure..
> https:// might be sufficient here.

Sounds good. A more general "SHOULD ignore immutable for resources
received without integrity protection" wording would allow proxies to
legally honor the immutable setting in most cases (after breaking a
hundred MUSTs to get to it inside https, naturally).


Thank you,

Alex.


> On Fri, Oct 28, 2016 at 12:50 PM, Alex Rousskov wrote:
> 
>     On 10/26/2016 03:02 PM, Patrick McManus wrote:
> 
>     >    o  Clients should ignore immutable for resources that are not
>     part of
>     >       a secure context [SECURECONTEXTS].
> 
>     Please think of the children^H^H^H^H proxies. AFAICT, "secure contexts"
>     are currently a user agent concept. If the above "should" is meant to be
>     a "SHOULD", then the draft automatically disqualifies most proxies from
>     legally utilizing this promising "ignore reload" mechanism.
> 
> 
>     Thank you,
> 
>     Alex.
> 
>