Protocol Action: 'Oblivious HTTP' to Proposed Standard (draft-ietf-ohai-ohttp-08.txt)

The IESG <iesg-secretary@ietf.org> Wed, 15 March 2023 23:29 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: Protocol Action: 'Oblivious HTTP' to Proposed Standard (draft-ietf-ohai-ohttp-08.txt)
Auto-Submitted: auto-generated
Precedence: bulk
Cc: The IESG <iesg@ietf.org>, draft-ietf-ohai-ohttp@ietf.org, francesca.palombini@ericsson.com, ohai-chairs@ietf.org, ohai@ietf.org, rfc-editor@rfc-editor.org, shivankaulsahib@gmail.com
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <167892294529.47962.3626720895767027235@ietfa.amsl.com>
Date: Wed, 15 Mar 2023 16:29:05 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/7HA5956_b8DpHXs_MENsCKzUaZ0>

The IESG has approved the following document:
- 'Oblivious HTTP'
(draft-ietf-ohai-ohttp-08.txt) as Proposed Standard

This document is the product of the Oblivious HTTP Application Intermediation
Working Group.

The IESG contact persons are Paul Wouters, Francesca Palombini and Roman
Danyliw.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-ohai-ohttp/

Technical Summary

This document describes a system for forwarding encrypted HTTP
messages. This allows a client to make multiple requests to an
origin server without that server being able to link those requests
to the client or to identify the requests as having come from the
same client, while placing only limited trust in the nodes used to
forward the messages.

Working Group Summary

There were a few topics that required in-depth discussion:

1. [Bad Key Configuration](https://github.com/ietf-wg-ohai/oblivious-http/issues/194): It
was resolved in https://github.com/ietf-wg-ohai/oblivious-http/pull/196
2. [Asynchronous Submission Use Case](https://github.com/ietf-wg-ohai/oblivious-http/issues/179): A new draft was created to address this use-case: https://datatracker.ietf.org/doc/draft-wood-ohai-unreliable-ohttp/
3. [Signals from server to proxy or vice versa](https://github.com/ietf-wg-ohai/oblivious-http/issues/114): being handled in a separate draft, and https://github.com/ietf-wg-ohai/oblivious-http/pull/113/files has text around proxy responsibilities

Apart from GitHub, these topics were either discussed on-list or during WG
session. Ultimately there was clear consensus on how to resolve these issues.

The draft reached broad agreement, as ascertained through both IETF session
participation and mailing list/GitHub discussion. Quite a few folks raised
[issues on GitHub](https://github.com/ietf-wg-ohai/oblivious-http/issues?q=is%3Aissue+is%3Aclosed).
Key decisions were surfaced on the mailing list.

Document Quality

There are implementations in [Rust](https://github.com/martinthomson/ohttp) and
[Go](https://github.com/chris-wood/ohttp-go). Apple iOS 16 includes OHTTP.
Cloudflare (https://github.com/cloudflare/app-relay) and Brave have
implementations as well.

This document interacts with HTTP WG and in general the SEC area. Participants
from the HTTP and security communities were actively involved in the
development of the document.

Personnel

Document Shepherd: Shivan Kaul Sahib
Responsible Area Director: Francesca Palombini

Protocol Action: 'Oblivious HTTP' to Proposed Sta… The IESG