Re: [hybi] requirement draft as wg item
Greg Wilkins <gregw@webtide.com> Thu, 13 May 2010 10:02 UTC
Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 91CBB3A69AD for <hybi@core3.amsl.com>; Thu, 13 May 2010 03:02:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.325
X-Spam-Level:
X-Spam-Status: No, score=-0.325 tagged_above=-999 required=5 tests=[AWL=-0.326, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhwQtQA9yoga for <hybi@core3.amsl.com>; Thu, 13 May 2010 03:02:45 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 44A3E3A6A1C for <hybi@ietf.org>; Thu, 13 May 2010 03:02:27 -0700 (PDT)
Received: by wyb36 with SMTP id 36so847763wyb.31 for <hybi@ietf.org>; Thu, 13 May 2010 03:02:13 -0700 (PDT)
Received: by 10.227.132.69 with SMTP id a5mr8096276wbt.119.1273744933666; Thu, 13 May 2010 03:02:13 -0700 (PDT)
Received: from [192.168.0.100] (host116-234-static.43-88-b.business.telecomitalia.it [88.43.234.116]) by mx.google.com with ESMTPS id x34sm7834666wbd.16.2010.05.13.03.02.12 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 13 May 2010 03:02:13 -0700 (PDT)
Message-ID: <4BEBCE21.9060001@webtide.com>
Date: Thu, 13 May 2010 12:02:09 +0200
From: Greg Wilkins <gregw@webtide.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: "hybi@ietf.org" <hybi@ietf.org>
References: <4BE972C5.4060006@ericsson.com> <8B0A9FCBB9832F43971E38010638454F03E7E23798@SISPE7MB1.commscope.com>
In-Reply-To: <8B0A9FCBB9832F43971E38010638454F03E7E23798@SISPE7MB1.commscope.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [hybi] requirement draft as wg item
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2010 10:02:46 -0000
Thomson, Martin wrote: > Reading through this, it would be easier to maintain if the requirements were numbered separately by section: > > E.g. C1, C2 for client, S1, S2, S3 for server, X1, X2 for security. I agree - does anybody object if I reformat the document to make requirements number subsections? Maceij? > Regarding the following security requirement: > > REQ. 17: The WebSocket Protocol MUST use the Origin-based security > model commonly used by Web browsers to restrict which Web pages > can contact a WebSocket sever when the WebSocket protocol is used > from a Web page. > > It seems that _using_ this model is not what the protocol does. "Supporting" might be a better choice. The attacks that are foiled by the same model are foiled by the browser and its security policy, not the protocol. Same comment for the next requirement. This was an issue raised at the meeting and where it was pointed out that there is no specification for "Origin-based security model". I believe the chairs intend to open a trac issue for this once we've got the process of dealing with tracs established. Personally I think this is not so much a requirement on the protocol, but on the websocket API implementation. As you say, the protocol needs only support the security policy implemented by it's containing scope (ie the browser). > I'm still not satisfied by the discussion on protocol mimickry. That needs a much longer explanation than the one given. Also, this: > > REQ. 19: WebSocket should be designed to be robust against cross- > protocol attacks. The protocol design should consider and > mitigate the risk presented by WebSocket clients to existing > servers (including HTTP servers). It should also consider and > mitigate the risk to WebSocket servers presented by clients for > other protocols (including HTTP). > > Could be more simply worded as two requirements: > > REQ X-. An HTTP request MUST be difficult for a WebSocket server to mistake for a WebSocket handshake. > > With much more explanation. A simple scenario (as Ian provided me recently) would go a long way. Similarly: > > REQ X-. A WebSocket handshake MUST be difficult for an HTTP server to mistake for a valid HTTP request. > > ...with a similar degree of justification. (Random thought: requiring Content-Length: 0 might be a price worth paying here.) Nice - much simpler.
- [hybi] requirement draft as wg item Salvatore Loreto
- Re: [hybi] requirement draft as wg item Thomson, Martin
- Re: [hybi] requirement draft as wg item Maciej Stachowiak
- Re: [hybi] requirement draft as wg item Mike Belshe
- Re: [hybi] requirement draft as wg item Greg Wilkins
- Re: [hybi] requirement draft as wg item Greg Wilkins
- Re: [hybi] requirement draft as wg item Scott Ferguson