Re: Genart last call review of draft-ietf-httpbis-client-hints-13
Christer Holmberg <christer.holmberg@ericsson.com> Wed, 06 May 2020 12:47 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A11083A0A1D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 6 May 2020 05:47:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.752
X-Spam-Level:
X-Spam-Status: No, score=-2.752 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33kuFSbq0Exf for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 6 May 2020 05:47:30 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6B6B3A0A14 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 6 May 2020 05:47:29 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jWJP5-0007h6-Pv for ietf-http-wg-dist@listhub.w3.org; Wed, 06 May 2020 12:43:59 +0000
Resent-Date: Wed, 06 May 2020 12:43:59 +0000
Resent-Message-Id: <E1jWJP5-0007h6-Pv@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <christer.holmberg@ericsson.com>) id 1jWJP3-0007g5-AQ for ietf-http-wg@listhub.w3.org; Wed, 06 May 2020 12:43:57 +0000
Received: from mail-am6eur05on2070.outbound.protection.outlook.com ([40.107.22.70] helo=EUR05-AM6-obe.outbound.protection.outlook.com) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <christer.holmberg@ericsson.com>) id 1jWJP1-0003jt-NM for ietf-http-wg@w3.org; Wed, 06 May 2020 12:43:57 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HnRsxafytOGZ9HKFquEUMJG469cmcDmsjcQEBInpSsSCyOAR+HrTVrQcWnu8LMPKBPSM8VlM6nZXCoKQnfZ8bGMIHL+7cGVbX/mJ21f2DMe50L3B1Mdkce0Psvc1Rcr0cB2ZoxL9paNSVtCeWWO6/gkd8mBgQIrxmf2P4CTKFmGdX7l2aDjxclGGuyt6VR74yqD5ZHoU2XaTiehnTeh70msPIJ/mJVw8L7676f1Vn39huvsI0O7X94hrlLK70q0YchLl51fBBEY7LMCYFHiDX0KjQhEA6rEdHYDpt3NMI6lv2s4OnSDDfmLwmbQVvwB4phzwAuXqQxoIe4s3Ux8MAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qx2zMlCxyOP7LPtHZ6HN/qpRxhA8dpJHJl+rqUWeD+k=; b=JWQZRgaGRIJ7/2PARMFa2GITBjC9Z4coY1IpNXZtVKWQVhMhUzvDn2EUMTH2CXQdLf+LUUiGxNYUKLQIDv9CzsB98y2dWEUUme0iYLuWKPXjPFnjIywcEdKMiPvJE2f12yjJ7HuVYXyyRDXypkY0+6okOjkGdtpA0fzHq60XXBMUAA+YI+tBihtpKkZdrjfSoDV9OQvx9dyO72yDnvx8PslOBvC2n8adRWxcM3fKWrLLgAl92djJfyv/B4ESk7sdAmXfzCF6k46cPUbrBcOqK5ymCp0eDhdW3XESwEl0hBbg36NbaxszSinToiukWmNgLHhM5sLWUobwvOd2Z5OakA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qx2zMlCxyOP7LPtHZ6HN/qpRxhA8dpJHJl+rqUWeD+k=; b=HUfg/ddZPfM2jgOcvm5b1Wyh89G9+iWVSbYQtvzgckE6Y62Dlv/06XoygyQq4pbPpU8laXbdzPFPJIIojEVvHEcoEbmPSRI3mMnWPG59f3R/ODqK9Lgk5475fzVEF5UqVVBIj9dEx0vyDsQ7CJbhzlaOtBMqZw9Ss5DW/p0VGFw=
Received: from VI1PR0701MB7023.eurprd07.prod.outlook.com (2603:10a6:800:19f::8) by VI1PR0701MB2639.eurprd07.prod.outlook.com (2603:10a6:801:a::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.11; Wed, 6 May 2020 12:43:41 +0000
Received: from VI1PR0701MB7023.eurprd07.prod.outlook.com ([fe80::a061:9559:79be:7ebd]) by VI1PR0701MB7023.eurprd07.prod.outlook.com ([fe80::a061:9559:79be:7ebd%5]) with mapi id 15.20.2979.025; Wed, 6 May 2020 12:43:41 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Yoav Weiss <yoav@yoav.ws>
CC: "gen-art@ietf.org" <gen-art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "draft-ietf-httpbis-client-hints.all@ietf.org" <draft-ietf-httpbis-client-hints.all@ietf.org>
Thread-Topic: Genart last call review of draft-ietf-httpbis-client-hints-13
Thread-Index: AQHWIq1DN+5hVq5QdEeND9cndeZ6bqiaCVcAgACrC4CAAIB9AA==
Date: Wed, 06 May 2020 12:43:41 +0000
Message-ID: <4243CEA9-67C6-4D3D-A554-9911847CA782@ericsson.com>
References: <158837305177.24719.21462684096579298@ietfa.amsl.com> <CACj=BEhNqVRxQagFmJ4sbXrn=YOWAYPBqODw_rL7MZbUDjNq5w@mail.gmail.com> <A2613BDC-7577-4BED-8AB5-4799973A1586@ericsson.com> <CACj=BEivQgTBrznaHjmdgOP+1O9fRR7xtX2m_u3JMV4eGfkqFQ@mail.gmail.com>
In-Reply-To: <CACj=BEivQgTBrznaHjmdgOP+1O9fRR7xtX2m_u3JMV4eGfkqFQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: yoav.ws; dkim=none (message not signed) header.d=none;yoav.ws; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [213.216.230.200]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f146cef4-e93a-40a9-ab70-08d7f1bb1b4d
x-ms-traffictypediagnostic: VI1PR0701MB2639:
x-microsoft-antispam-prvs: <VI1PR0701MB2639A9FA7CEA8AEABC3EBBC893A40@VI1PR0701MB2639.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03950F25EC
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zQn9WEmTgE2LlxQorDpUXYmZ4Nm0k6QM1DFtdojjXZ3LM7+43BMRfsI9rYxOxaUPY4wqSBen3BaBeZXgdI/kPSiFNwZITgzcF0Dcrpbq/1zcb9gaNL1m6ovNqmBCsRMUu7l4afxLuYN0jOe+AZg9cwuoXx/VuNVcT8roBjN/V8Po0JEOfLjJ0KOlK03lPxF4UUxfUOcn+fD2uAkzpHaZle5CAcHG/TC8lfQSR17LViqXuK74CILaFmK6y78IvOdbWmX6kTbUrlCng13PYE/+hp2UYpLXDVi2NFy+gl5U7wG53ioQUzZn9d6lh86+lxGtXZhRrebNa86zVLSpqxGJY3FNLYaJ1yUAjM78V406z56AbUeKC7+BrK5GKf2M2o4/WnGCLTC5qHz+G9qH2ykebNypSlf8GWpkgScLK6fOn21rYZW44fdTgwr6qdyK3C4J126WteecoJh0YKWAT4PtHTS8Eu4rP4x/igGo/l5jRQ8KK5cfV9Jj/rKSwhoZKo38SJXPB/tfyESqOuswRPX394e9Ro5MilJn0Cm5PMeJWgEsAEL7O1VA1p3A8tRmYguSbuHCleHu63S3lyhbCCgVnixo4PHCKkCfNuTpNuKeTVg=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VI1PR0701MB7023.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(346002)(136003)(376002)(366004)(39860400002)(396003)(33430700001)(478600001)(86362001)(36756003)(71200400001)(966005)(8936002)(44832011)(66946007)(64756008)(66476007)(54906003)(316002)(91956017)(8676002)(26005)(5660300002)(2616005)(66446008)(186003)(76116006)(66556008)(6506007)(6916009)(2906002)(4326008)(6486002)(33656002)(33440700001)(6512007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata: QAU+bh5DBDKUIuRcp5A2/agQL9+RrDTrBEBJDlzsk9zXOihtlYc9oB+QzSoJri5sQVuIhaC/3TU4d/bkBlfGFbZKk/Lwro0Qa75WJG/n35erzLhnml8MzuZ+HSpqtqPZMh4UUiWJ4PrSQ4+HXOpdh5CeyCoHesa4Vsc76uR6HOB8VZJ+UDS6dVt4LFxzA62kZxouu00mz9mU78DaUElcNDD4XEWSBLEdKbBjX2GQsM13gJ53NkGx7P58A7MvMQha15GrMhY2gq977/Yp65UOk3yRoriV+Fi/ckOfYovCqpgFRvCgfI02DkkpbR7BxCAcCX4PsZ+GTLXAv3kMZK22ULc9b8Bl09f3z5QkDnLRCajHikyCRUx34XxwG7FtxfIqnKwbANQGTTGgUs+BxHvewcS8vaQwYVWI65rMk64RH5dkBBfzUBFQXC5qvUN7gng5TydhE0PJMhgX3JAI9DX0sNXTNEwz+O2uy7mWlreJNDBb2ktV/6PU/LjRVrqzfnHJdory+E/MUg2NAyH8ZwpVSvVJdNBdtdFMPgYLqEr/f0g0qSjCG+0FWiWrLqgruLBwvtBO6FtP1qAJFaj/2fySd2ONGxKl71Ccg1smimeSJo0opRBFLaOK1qfTEf/gBeEIiAlwpGbXUxOENjJ8vHECX2jgu1pepx9iNtAbzpP73WGj5a6cpCRXNTuh3SPYtw7Tw50prU45l2yOyFeIWqxbV2SFvo2B3omFNEcV5ngdep0kBL0vKjK+hiCOdbrPBLN5xUPVFKkWAa7JI6tPgi+wBsSBbWGEX0hWwkz/tIy8Q05KV9WouubwZhJgvGkND85e
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <834C3F6F2889DE4882FE70317DF48B85@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f146cef4-e93a-40a9-ab70-08d7f1bb1b4d
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2020 12:43:41.4283 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: f/pA3OLfVfb1fNicKfA9E4wWannLuDEf13GTLRmIRLP0NfaZlQwtDHkyYKAHrCVOmQf+DRkA5Mls94Qg3bTise38f+Um5kweI8G7LKe9iBo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2639
Received-SPF: pass client-ip=40.107.22.70; envelope-from=christer.holmberg@ericsson.com; helo=EUR05-AM6-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jWJP1-0003jt-NM 1a59820b002566bd77f8aa10c834b4fb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Genart last call review of draft-ietf-httpbis-client-hints-13
Archived-At: <https://www.w3.org/mid/4243CEA9-67C6-4D3D-A554-9911847CA782@ericsson.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37579
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Yoav, >> I have not received the pull request yet, so I will comment only based on your e-mail reply :) > > Apologies for the delay. PR is now up at https://protect2.fireeye.com/v1/url?k=0a42e34e-54e25920-0a42a3d5- > 869a14f4b08c-11c3f32cbd74f2f2&q=1&e=978d85da-fab3-4523-a8d9-447aa6bdf056&u=https://github.com/httpwg/http-extensions/pull/1171 Thanks! I think it looks ok. BTW, are high-entropy and low-entropy defined and well-known HTTP terms? --- MaQ3: >>>> Related to MaQ2, what happens if a server receives hints that it does not >>>> understand, or does not support? >>> >>> Servers SHOULD ignore hints they do not understand or do not support. >> >> Is there are reason for not using MUST? SHOULD typically means MUST-unless-X. What would X be? >> >> Is there a way for the server to indicate to the client that it did not understand/support the hints? Whatever the answer, I think it would be good to have some text about that. > > There's no such a mechanism, similar to other request headers. > Do you have sample text in mind that may make that point clearer? Maybe just a note pointing out that there is no mechanism for a server to inform a client whether it understands and supports the hints. --- Minor issues: MiQ1: >>> Section 1 described that proactive content negotiation allows servers to >>> silently fingerprint the user agent. >>> >>> But, later in the Section it is described that Client Hints also allow a server >>> the perform fingerprinting, and the Security Considerations also say that there >>> is really no difference. >>> >>> So, does Section 1 need to talk about fingerprinting at all? >> >> Section 1 describes the fact that traditional (read: pre-Client Hints) content negotiation methods relied on sending information to all servers, which enabled passive fingerprinting, >> and how Client Hints breaks away from that paradigm, by only sending (high entropy) hints when the server needs them and opts-in to receive them. >> >> A server can request the hints even if it doesn't "need" them, but it wants to do fingerprinting. The client does not know what the server will do with the information. >> >> My point is that the reader should not get an impression that client hints somehow prevents fingerprinting. It doesn't. The only difference is that the server has to ask for the information. > > Current draft includes " Client Hints mitigate ... privacy concerns of passive fingerprinting by requiring explicit opt-in and disclosure of > required headers by the server through the use of the Accept-CH response header." > Should that be clearer? Yes, I think it is better. ------- Regards, Christer
- Re: [Last-Call] Genart last call review of draft-… Christer Holmberg
- Re: Genart last call review of draft-ietf-httpbis… Yoav Weiss
- Re: Genart last call review of draft-ietf-httpbis… Christer Holmberg
- Re: Genart last call review of draft-ietf-httpbis… Yoav Weiss
- Re: Genart last call review of draft-ietf-httpbis… Christer Holmberg
- Re: Genart last call review of draft-ietf-httpbis… Yoav Weiss
- Re: Genart last call review of draft-ietf-httpbis… Yoav Weiss
- Re: Genart last call review of draft-ietf-httpbis… Barry Leiba
- Re: Genart last call review of draft-ietf-httpbis… Christer Holmberg
- Re: Genart last call review of draft-ietf-httpbis… Yoav Weiss