Re: Alt-Svc WGLC
Kyle Rose <krose@krose.org> Wed, 13 January 2016 03:09 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2405E1B2C7B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 12 Jan 2016 19:09:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.381
X-Spam-Level:
X-Spam-Status: No, score=-6.381 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qLA14hHJ1hK for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 12 Jan 2016 19:09:01 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE43A1B2C77 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 12 Jan 2016 19:09:00 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aJBjW-0001k7-03 for ietf-http-wg-dist@listhub.w3.org; Wed, 13 Jan 2016 03:04:26 +0000
Resent-Date: Wed, 13 Jan 2016 03:04:26 +0000
Resent-Message-Id: <E1aJBjW-0001k7-03@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <krose@krose.org>) id 1aJBjR-0001jJ-UN for ietf-http-wg@listhub.w3.org; Wed, 13 Jan 2016 03:04:21 +0000
Received: from mail-io0-f174.google.com ([209.85.223.174]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <krose@krose.org>) id 1aJBjQ-0007LF-Kl for ietf-http-wg@w3.org; Wed, 13 Jan 2016 03:04:21 +0000
Received: by mail-io0-f174.google.com with SMTP id g73so209794203ioe.3 for <ietf-http-wg@w3.org>; Tue, 12 Jan 2016 19:04:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=B8KbYfCpryXbV6ob7JYJzHU+3X4S7sboVGHyuN2go50=; b=bF+SW+k52nZnPPiwBWzUU7qinDltieqbxIfIXAHy6KAAmO8zGQDTlY6k15hS8RKfEW qC1trPxR1T+KI+G6yJscwHHtRuR5XaRRW+2kZB/Cd2ehsma4uoSyl6R8Mt32m5wEpgHQ ITovMLVfhcb2fqMblSqepLKQBOSjA2L0AtiYw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=B8KbYfCpryXbV6ob7JYJzHU+3X4S7sboVGHyuN2go50=; b=EI0laCRs3qjmoTJnrmyfx23UePCL9kV4awek/3+8/4PhPnENK92t2U/aqHnvcT2891 0wuSiz9GvI7cDr4uerqcZsrqmJuo70QsXGU5gYKFmS5vUjv9PJtycUCzwQWXfzlnvEWO QLVyPdzwW70Z9DIpHpvIbjsmLBfEaiRitEC39sGCUf4Ca2me11tARQgM6qcXBVFai1wC /QdRlkGBGTD9sQ6ztBbFckwkdrvCI3VOcRvR1r4Szu7s+2oyVfbNgQ9dZexexOzAimjw XwWJu6gbXg8jsF37C2F1GWy8b1rtwpu9WmjLakYey4aDYapm3TDJ28tIescdeHsiJIRf HTlQ==
X-Gm-Message-State: ALoCoQl/Jby29PhBuWyBwPU0pX5+Ca7NIKmSnySiLZvYUL+w3kn5fSBiHn8QfeeqCcRP+OYm7MpTVJ8K/Ocbqjr45jFCnQXLoA==
MIME-Version: 1.0
X-Received: by 10.107.41.142 with SMTP id p136mr108464385iop.70.1452654234319; Tue, 12 Jan 2016 19:03:54 -0800 (PST)
Received: by 10.79.83.197 with HTTP; Tue, 12 Jan 2016 19:03:54 -0800 (PST)
X-Originating-IP: [2001:470:1f07:121:1434:c8df:e28a:474]
In-Reply-To: <CABkgnnWj=Xqte-XT1yVUAvLfdKT6HojMDr0SHBe9h_XbA6UAMg@mail.gmail.com>
References: <566EA6AF.60100@gmx.de> <56703332.1000006@crf.canon.fr> <56928545.7010804@gmx.de> <CAJU8_nVkibr4DsUOWjpEYOVTPbTdoWyBsgSFiRr7Rp4=qFKjPA@mail.gmail.com> <CABkgnnWu-oy9Ax1A=E+4GJ47YGKZa3SLHi0a5kendxNX=q5zaQ@mail.gmail.com> <CAJU8_nVyfxjiM1Q-W_CSv=B1auPXbKsDdPNibOR-GHTRjor1GA@mail.gmail.com> <CABkgnnXXGFurjCEb00KAyhyih6F=nww42MKBmYCcz4dS06r38w@mail.gmail.com> <CAJU8_nVQiaGEBtxXtHapOu0eigv=ovQSpT0DuEpkfo6tLQEEkw@mail.gmail.com> <CABkgnnWj=Xqte-XT1yVUAvLfdKT6HojMDr0SHBe9h_XbA6UAMg@mail.gmail.com>
Date: Tue, 12 Jan 2016 22:03:54 -0500
Message-ID: <CAJU8_nXUoOEoXjrCcXYr65XoysYOfp3T2J7N2zoyBSMdAf9dnQ@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.223.174; envelope-from=krose@krose.org; helo=mail-io0-f174.google.com
X-W3C-Hub-Spam-Status: No, score=-4.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1aJBjQ-0007LF-Kl 1a27e0536c59b8ec9fa40fe78e53e473
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Alt-Svc WGLC
Archived-At: <http://www.w3.org/mid/CAJU8_nXUoOEoXjrCcXYr65XoysYOfp3T2J7N2zoyBSMdAf9dnQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30911
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Tue, Jan 12, 2016 at 9:13 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 12 January 2016 at 13:51, Kyle Rose <krose@krose.org> wrote: >> "Clients MUST NOT use an alternative service with a host that is >> different from the origin's without the alternative service strongly >> authenticating with the origin's identity." > > There are two rules we need to capture: > > 1. the alternative service must be authenticated as the origin host If this is the case, then we should simply state that "Clients MUST NOT use an alternative service that does not strongly authenticate with the origin's identity." I had interpreted the draft to indicate that only host changes required strong authentication of the alternative service, but apparently that is not the intent (and I suppose is what the "Changing Ports" section is all about). It's very confusing. The "Changing Hosts" section, for instance, says that: This is the reason for the requirement in Section 2.1 that any alternative service with a host different from the origin's be strongly authenticated with the origin's identity when according to your rule #1 we want to strongly authenticate with the origin's identity even when the alternative service's host is the same as the origin's. If the intent is to *always* strongly authenticate the alternative service with the origin's identity, the draft should state that unconditionally. > 2. if the alt-svc advertisement isn't authenticated, the host can't be > different to the origin. We need to cleanly separate these two requirements, because I think both the "Changing Hosts" language and the "Host Authentication" language do not capture this. In fact, they seem to conflate the two issues, as I have apparently been doing. Your two guidelines, in fact, seem to capture the required precision. A candidate for the first is above; one for the second might be "Clients MUST NOT use an alternative service whose host is different from the origin's if the alternative service advertisement was not strongly authenticated." Some explanatory language around each requirement in section 2, or separate subsecitions under "Security Considerations", could provide context for each of the requirements. This needs to be made a lot clearer. Kyle
- Alt-Svc WGLC Julian Reschke
- Re: Alt-Svc WGLC Mark Nottingham
- Re: Alt-Svc WGLC Julian Reschke
- Re: Alt-Svc WGLC Hervé Ruellan
- Re: Alt-Svc WGLC Julian Reschke
- Re: Alt-Svc WGLC Julian Reschke
- Re: Alt-Svc WGLC Kyle Rose
- Re: Alt-Svc WGLC Martin Thomson
- Re: Alt-Svc WGLC Kyle Rose
- Re: Alt-Svc WGLC Martin Thomson
- Re: Alt-Svc WGLC Kyle Rose
- Re: Alt-Svc WGLC Martin Thomson
- Re: Alt-Svc WGLC Kyle Rose
- Re: Alt-Svc WGLC Martin Thomson
- Re: Alt-Svc WGLC Julian Reschke
- Re: Alt-Svc WGLC Erik Nygren
- Re: Alt-Svc WGLC Martin Thomson
- Re: Alt-Svc WGLC Erik Nygren
- Re: Alt-Svc WGLC Kyle Rose