IETF Logo Mail Archive

Re: Upgrade status for impl draft 1

Eliot Lear <lear@cisco.com> Thu, 28 February 2013 06:35 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C91D21F8ADB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 27 Feb 2013 22:35:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.594
X-Spam-Level:
X-Spam-Status: No, score=-10.594 tagged_above=-999 required=5 tests=[AWL=0.005, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G9ysulKvpTNv for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 27 Feb 2013 22:35:10 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id A463021F8ABC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 27 Feb 2013 22:35:10 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UAx4A-0005CN-Cj for ietf-http-wg-dist@listhub.w3.org; Thu, 28 Feb 2013 06:34:06 +0000
Resent-Date: Thu, 28 Feb 2013 06:34:06 +0000
Resent-Message-Id: <E1UAx4A-0005CN-Cj@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <lear@cisco.com>) id 1UAx3z-0005Ac-W0 for ietf-http-wg@listhub.w3.org; Thu, 28 Feb 2013 06:33:56 +0000
Received: from ams-iport-2.cisco.com ([144.254.224.141]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <lear@cisco.com>) id 1UAx3z-0003ah-5I for ietf-http-wg@w3.org; Thu, 28 Feb 2013 06:33:55 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1975; q=dns/txt; s=iport; t=1362033235; x=1363242835; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=mgxg/cWNPNva0a3xnryBappMYbLEimDos7nXsZV5G50=; b=cG9kkksB0C9rx3P91niOtBiqlbvu2/aZ/3etZK+LuHkBSQ1CDAPdxRLM /Of7legpVpHEH/osRipb4Pv8Zqth3tvzUDmMUtowbn1LRMLpnlaAnCXqB NZe6IlZuxOZNEP04vP53dGyKFuOP6JW9y/KLe4UYjGUaZjYO8ClDdhpyb w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAMf4LlGQ/khN/2dsb2JhbABFhk+7YHoWc4IfAQEBBCNVARALGAICBRYLAgIJAwIBAgFFBg0BBQIBAYgPrn2SWYEjjXEHgi2BEwOWQZBqgwmBaiQ
X-IronPort-AV: E=Sophos;i="4.84,753,1355097600"; d="scan'208";a="80776937"
Received: from ams-core-4.cisco.com ([144.254.72.77]) by ams-iport-2.cisco.com with ESMTP; 28 Feb 2013 06:32:00 +0000
Received: from dhcp-10-61-98-134.cisco.com (dhcp-10-61-98-134.cisco.com [10.61.98.134]) by ams-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r1S6VxvN030651 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Feb 2013 06:32:00 GMT
Message-ID: <512EF9DF.3050405@cisco.com>
Date: Thu, 28 Feb 2013 07:31:59 +0100
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: Ted Hardie <ted.ietf@gmail.com>
CC: "\"William Chan (陈智昌)\"" <willchan@chromium.org>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
References: <B0FC9D1E-08EF-4275-9851-C8F33F24FF00@mnot.net> <CAA4WUYgGD2XWRH0xXYJOR7zY16hf2w+d4XTVk8_rx+DV5iG3Ug@mail.gmail.com> <512DA753.4040402@cisco.com> <CA+9kkMDYyWcOpHH+ngG4pQNhGu50ZafeBhBofTZiobj4nvCz3A@mail.gmail.com> <512E7E57.8040102@cisco.com> <CA+9kkMD_kzgzUvOOxvXSg_uj1TEcioNPwBhq694LwJ2VP3Q-NA@mail.gmail.com>
In-Reply-To: <CA+9kkMD_kzgzUvOOxvXSg_uj1TEcioNPwBhq694LwJ2VP3Q-NA@mail.gmail.com>
X-Enigmail-Version: 1.5
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=144.254.224.141; envelope-from=lear@cisco.com; helo=ams-iport-2.cisco.com
X-W3C-Hub-Spam-Status: No, score=-13.5
X-W3C-Hub-Spam-Report: AWL=-0.187, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.703, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5
X-W3C-Scan-Sig: lisa.w3.org 1UAx3z-0003ah-5I cf0aea6bc1c068d61d6557fd076f2d5a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Upgrade status for impl draft 1
Archived-At: <http://www.w3.org/mid/512EF9DF.3050405@cisco.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/16931
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 2/27/13 10:52 PM, Ted Hardie wrote:
> On Wed, Feb 27, 2013 at 1:44 PM, Eliot Lear <lear@cisco.com> wrote:
>> Ted, the problem is that then we are essentially requiring TLS for
>> implementation of HTTP 2.0.  We've said we're not going to do that.
> I don't think this is quite right.  I think it means that if you use
> the DNS hints mechanism, you should expect TLS.  If you have other
> upgrade methods, they would not be impacted.  That doesn't require TLS
> for implementation of HTTP 2.0 itself.

The whole point of the draft is performance and eliminating latency. 
What you suggest would penalize non-TLS implementations for no reason. 
As important, we haven't really defined what a TLS deployment is in
these cases.  For instance, as I've said before, in an enterprise
environment, it is not reasonable to assume that every server will have
a valid cert.  In fact we have yet to see whether this is even a valid
assumption on the Internet as a whole.  I don't want to bind this draft
into that discussion, and there is no reason to do so.
>
>> But
>> also, the problem you describe is within control of both clients (albeit
>> with a linkage to DNSSEC) and servers by not linking two secure and
>> insecure services.  Ultimately what is proposed represents no change
>> because the server itself has to provide whatever capability we're
>> discussing.
>>
> I don't really follow this; can you rephrase it?
>

Sure.  There are two opportunities to avoid the risk I raised:

1.  Servers simply do not advertise via DNS the same service using both
TLS and non-TLS.
2.  They use DNSSEC.

The issue is entirely remediated with existing code, if necessary.  And
for those who do want to mix security models, then they need to, at the
very least, offer a signed zone so that clients and their resolvers can
validate the information.  I personally wouldn't do this until I felt
comfortable that clients had that ability.

Eliot

v2.23.0 | Report a Bug | By Email