Re: Method Mania

Rahul Gupta <cxres@protonmail.com> Mon, 29 July 2024 06:21 UTC

Received: by ietfa.amsl.com (Postfix) id A3050C14F70A; Sun, 28 Jul 2024 23:21:05 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A228DC14F5E4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 28 Jul 2024 23:21:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.856
X-Spam-Level:
X-Spam-Status: No, score=-2.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="nCuDtno3"; dkim=pass (2048-bit key) header.d=w3.org header.b="f8MoNb/x"; dkim=pass (2048-bit key) header.d=protonmail.com header.b="IaEuvdCh"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-g1iEorwjyg for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 28 Jul 2024 23:21:01 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F15E3C14E515 for <httpbisa-archive-bis2Juki@ietf.org>; Sun, 28 Jul 2024 23:21:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:MIME-Version:References:In-Reply-To:Message-ID: From:To:Date:Cc:Reply-To; bh=f+Jx0KMTe+Pw3A2purTBAGASapa/fqRmxY7bDXufhQo=; b= nCuDtno3iEHvI566UlKQFozWuSyCl8joYyBxuPNOWHjZQwotiEqzlFv/eAMDVxwp4SeyZR9wTxIFL 7mu78+mNvCWPESe/QkgWsajPwGYzP+MabUiZlZUePNWsY18zKG+j+Ueb9AY/ecZrLIdHMg30xvbxu 6cxzGf/iVqH57cIYY2xeobIzEADNolyJZZy+F9ZlzyG0/OnllcrmqrFtwVOnpQPOd/qiA0u8zehD+ KntAMzRhJO6t2CvfPlfs83MWYNTZXTDaucp78f2j55MC5Ob5GJdK2eBK2DMne0mOtXkMTU+uPf4Nd BO1H56vs3HIOlPynaH/prBSh0MvAAbGsqQ==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sYJje-00EG3K-07 for ietf-http-wg-dist@listhub.w3.org; Mon, 29 Jul 2024 06:19:54 +0000
Resent-Date: Mon, 29 Jul 2024 06:19:54 +0000
Resent-Message-Id: <E1sYJje-00EG3K-07@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <cxres@protonmail.com>) id 1sYJja-00EG2O-1x for ietf-http-wg@listhub.w3.internal; Mon, 29 Jul 2024 06:19:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject: From:To:Date:Cc:Reply-To; bh=f+Jx0KMTe+Pw3A2purTBAGASapa/fqRmxY7bDXufhQo=; t=1722233990; x=1723097990; b=f8MoNb/x5d3AHJD+xqZxWeKp20yY+M4sYlMiF51EzNnOkqQ 0Wa2kaJDtXSn/bEvvDc78Kw8g0ke0P2e8Kla3jG22vhd6SjCszfdrPKH2Vd8IzTe4/QmB50Q9vPu6 gU2QAfXkNI/9pgrGSekpge3++X3R3QiQBeYyoSYzNWcJmHSI7kQyh5FZUKAfgN5niloOk2VeJzixB H3uScNr6ISdmP8FmpHvxl4qQATqOZjl00TJVc+z8dXFuUIAGpoH8WkkIQW9MBejcBux1+SLn8tA/p Pu8RMOdW5mT4DXLioXDfcAP75d5epRs+dkyARTsJ/JrRB1l8EwvhS6UgjDq5B5tA==;
Received-SPF: pass (pan.w3.org: domain of protonmail.com designates 185.70.40.137 as permitted sender) client-ip=185.70.40.137; envelope-from=cxres@protonmail.com; helo=mail-40137.protonmail.ch;
Received: from mail-40137.protonmail.ch ([185.70.40.137]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <cxres@protonmail.com>) id 1sYJjZ-00EBOA-1u for ietf-http-wg@w3.org; Mon, 29 Jul 2024 06:19:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1722233984; x=1722493184; bh=f+Jx0KMTe+Pw3A2purTBAGASapa/fqRmxY7bDXufhQo=; h=Date:To:From:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=IaEuvdChHIAH6gETy/8Ynsyo5Lmfk9F5tlsezL+rACNO1MOiOHR73LE4iEW1SAwFY B3tWA2bZSPvWNsC0Yfvz61PiggWTsxMjIL0zdgpZPfflH4g1u6s4lKIDecvA/z+zJF tBZZbJBl86Xb8HsrkIDfYpmB03WC1V7zw+LnE083j6qx9wnMqEaCjhFHXbsdd9bf8i +KP5vEm2BT8xIYwAHm7sw0uNbjXSNiUkTnkXdkIErIEqMj+foZPxsg0yFY8Z5NkUE7 tg/T9I8qSY5Q9nWrTyQ3xad4Mrh62/vtMG8VxqiDIlSJOz7F9DUZ1iNJlqojDVrBfS GPT+3VqCYTcBg==
Date: Mon, 29 Jul 2024 06:19:41 +0000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
From: Rahul Gupta <cxres@protonmail.com>
Message-ID: <BG1AG4FgbRD0_qyND9Z4x_T5Gp_8P07GdVSOlGe9MBzNT7N13mDaM5wExyvbHTherj2MsKnWviEZooizJ1cG-y2-Wy0vsaqcPDTMlRBCy0I=@protonmail.com>
In-Reply-To: <CAJV+MGxH4wPK__Z4mGfD3j-KaHpSVjQBFLyM1u+ZwfaSsZGMRQ@mail.gmail.com>
References: <CAF3KT4QZzx+FXOUHZoy+gPqJjQ+4KdOC+_29vbUANNtZQS4c+A@mail.gmail.com> <ba56fad8-e121-4c06-9a2d-783ef82471e0@gmx.de> <CAJV+MGz8hUTqar51V9wV=WPnWETDK+ECjWCTXYS92xXM5HEF_w@mail.gmail.com> <cd25a358-1e8a-43b7-ba61-3d16ad28b1e4@gmx.de> <CAF3KT4Q=ezzA2aCHyPg=k583n6vP4gTGP+wxKz+sQezD=GnowQ@mail.gmail.com> <CAJV+MGxH4wPK__Z4mGfD3j-KaHpSVjQBFLyM1u+ZwfaSsZGMRQ@mail.gmail.com>
Feedback-ID: 919445:user:proton
X-Pm-Message-ID: 12f62a82a699feb94337ce43501b6f483f5d91e0
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha256"; boundary="------d65a44496f973b61ba5aff073f69acd0e41e0b146f831ad8ff0dae41cf51e108"; charset="utf-8"
X-W3C-Hub-DKIM-Status: validation passed: (address=cxres@protonmail.com domain=protonmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1sYJjZ-00EBOA-1u a7bb48c228d1c3875353a992060c87e7
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Method Mania
Archived-At: <https://www.w3.org/mid/BG1AG4FgbRD0_qyND9Z4x_T5Gp_8P07GdVSOlGe9MBzNT7N13mDaM5wExyvbHTherj2MsKnWviEZooizJ1cG-y2-Wy0vsaqcPDTMlRBCy0I=@protonmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52163
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

As the author of the other Notifications proposal https://www.ietf.org/archive/id/draft-gupta-httpbis-per-resource-events-01.html at HTTPWG, my goal has been to create a notification protocol that is as backwards compatible as possible with existing HTTP semantics, and define a negotiation mechanism (`Accept-Events` and `Events` header field), so that we can then invent in the future, more advanced protocols, that for example, leverage HTTP/2/3 frames. This gives us more freedom to take "risks" with the more advance notification protocols, with the security to fallback on a safer mechanism when things break.

BR/Rahul



On Sunday, July 28th, 2024 at 7:04 PM, Patrick Meenan <patmeenan@gmail.com> wrote:

> Sorry, I didn't mean to imply not to go forward or to necessarily find a way to thread the needle but to explicitly plan for there to be middle-boxes that break and to be deliberate about how to handle that case, even for HTTPS.
> Failing loudly, in obvious and testable ways is WAY better than failing silently or in random ways. It makes it much easier for IT teams and software vendors to identify the root cause and test fixes. It can also be good to force failures broadly rather than pick just a subset of the population for it to work on (like requiring IPv6 features). There will be some middleboxes with issues but there will be a lot more that don't have issues and it would artificially limit the reach of the feature if you disable it for all middlebox cases.
> 

> I expect that new frame types for HTTP/2 and HTTP/3 would be more compatible than new methods just because devices are already parsing the existing headers and streams for content and would be more likely to error out when seeing a method they don't understand (but, odds are, new frames will have some number of devices that fail as well).
> 

> We have seen it more often than I care to admit, with the rollouts for HTTP/2, brotli, post-quantum TLS and now with compression dictionaries (which, you'd think the brotli rollout would have prepared devices for handling content-encoding negotiation in a compatible way, but nope).
> 

> The devices tend to fail the connections in painful ways, like closing the whole connection when it sees payload content it doesn't like (wiping out a bunch of multiplexed requests on a HTTP/2 connection for example).
> 

> Here is the site we're currently sending IT admins to when they get reports of TLS failures with the post-quantum rollout (mostly because of broken middleboxes): https://tldr.fail/
> 

> I'd encourage the team to continue without trying to get too fancy, just expect there will be some ecosystem cleanup needed when it is rolled out and to plan for it.
> 

> On Sun, Jul 28, 2024 at 1:33 AM Josh Cohen <joshco@gmail.com> wrote:
> 

> > Same here.. Patrick also said:
> > 

> > > "The better question is under what circumstances do we want to allow those devices to "break" and force them to fix the implementations?"
> > 

> > 

> > Maybe a reasonable interpretation of Patrick's statement is that it's time to be bold. HTTP/1.1 RFC2616 was published in 1999. It's the 25 year anniversary. 🥳 In the intervening years, the IETF has done a great job evolving the transport. That's created the foundation for things we couldn't do back then. I don't think it was a coincidence that Lisa Dusseault was in the room. The universe is speaking to us. Maybe it's time for a WebDAV re-spin.. The web could also have standardized pub/sub.
> > 

> > If we add new functionality that users and devs want, and makes admin life easier, that could be helpful in driving better implementations, and uptake of HTTP/2/3 and masque proxying.
> > 

> > 

> > 

> > 

> > 

> > 

> > 

> > On Sat, Jul 27, 2024 at 10:07 PM Julian Reschke <julian.reschke@gmx.de> wrote:
> > 

> > > On 27.07.2024 16:44, Patrick Meenan wrote:
> > > >
> > > >
> > > > On Sat, Jul 27, 2024 at 4:23 AM Julian Reschke <julian.reschke@gmx.de
> > > > <mailto:julian.reschke@gmx.de>> wrote:
> > > >
> > > > On 26.07.2024 00:27, Josh Cohen wrote:
> > > > > On the httpwg agenda at IETF 120 were a proposal for a new QUERY
> > > > method
> > > > > and Braid, which has subscription functionality that overloads
> > > > the GET
> > > > > method.
> > > > >
> > > > > What I am curious about is if, at this point in the evolution of the
> > > > > web, it is now safe to add new methods for new functionality.
> > > > I've been
> > > > > reading up on HTTP/2/3 and it seems that nowadays, connections are
> > > > > end-to-end secure and are essentially tunneled through middle boxes,
> > > > > including HTTP/1.1 proxies. I'm still just wrapping my head around
> > > > > MASQUE, but it looks like it can handle arbitrary methods. Similarly
> > > > > origin servers have evolved to support arbitrary methods.
> > > >
> > > > It always has been "safe", when https was used.
> > > >
> > > >
> > > > https is not "safe" in practical terms because of middleboxes that
> > > > intercept the connections. It is very common in enterprise deployments
> > > > where they install local trust anchors on the client devices and use
> > > > mitm software to inspect the traffic.
> > > > ...
> > > 

> > > I meant "safe" wrt deploying new HTTP methods.
> > > 

> > > When was the last time you encountered a problem?
> > > 

> > > Best regards, Julian
> > > 

> > > 

> > > 

> > 

> > 

> > 

> > --
> > 

> > ---
> > Josh Cohen