Protocol Action: 'Chunked Oblivious HTTP Messages' to Proposed Standard (draft-ietf-ohai-chunked-ohttp-08.txt)

[The IESG <iesg-secretary@ietf.org>]

The IESG has approved the following document:
- 'Chunked Oblivious HTTP Messages'
  (draft-ietf-ohai-chunked-ohttp-08.txt) as Proposed Standard

This document is the product of the Oblivious HTTP Application Intermediation
Working Group.

The IESG contact persons are Paul Wouters, Deb Cooley and Mike Bishop.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-ohai-chunked-ohttp/




Technical Summary

   This document defines a variant of the Oblivious HTTP message format
   that allows chunks of requests and responses to be encrypted and
   decrypted before the entire request or response is processed.  This
   allows incremental processing of Oblivious HTTP messages, which is
   particularly useful for handling large messages or systems that
   process messages slowly.

Working Group Summary

   The WG discussed applicability and use-cases for chunked OHTTP early on,
   given that chunking changes the security and privacy properties of OHTTP
   while not providing the guarantees of a proxied TLS connection.
   Specifically, there were concerns about the lack of forward secrecy and
   replay protection as well as how interactivity introduced by chunking
   potentially enables timing attacks. The authors addressed these concerns by
   adding an [Applicability
   section](https://datatracker.ietf.org/doc/html/draft-ietf-ohai-chunked-ohttp-06#name-applicability)
   and adding text on
   [interactivity](https://datatracker.ietf.org/doc/html/draft-ietf-ohai-chunked-ohttp-06#name-interactivity-and-privacy),
   [forward
   secrecy](https://datatracker.ietf.org/doc/html/draft-ietf-ohai-chunked-ohttp-06#section-7)
   and [replay attack
   risk](https://datatracker.ietf.org/doc/html/draft-ietf-ohai-chunked-ohttp-06#name-message-truncation).

   There was also discussion of the [incremental nature of
   HTTP](https://github.com/ietf-wg-ohai/draft-ohai-chunked-ohttp/issues/19),
   motivating use of an HTTP "Incremental" header to get incremental
   forwarding. The draft now references the ["Incremental" HTTP header
   field](https://datatracker.ietf.org/doc/draft-ietf-httpbis-incremental/)
   draft which is also in IESG Review.

Document Quality

   There are several existing deployments and implementations of Chunked OHTTP.
   [Cloudflare
   reported](https://mailarchive.ietf.org/arch/msg/ohai/xygArMZVfrSDtYvINHhYZHSGK1Q/)
   deployed implementations of both gateway and relay. [Apple
   also](https://datatracker.ietf.org/doc/minutes-120-ohai-202407260130/) has
   deployments of Chunked OHTTP for Private Cloud Compute and related AI
   features. There is an implementation by Microsoft for their [attested OHTTP
   server](https://github.com/microsoft/attested-ohttp-server). Google's QUICHE
   has support for [chunked
   OHTTP](https://quiche.googlesource.com/quiche.git/%2B/d71d77ba2b251b5b3fa049e8475c62ba1d473157).

   The document interacts with HTTP and has new Media Types. Authors requested
   a [media-types
   review](https://mailarchive.ietf.org/arch/msg/media-types/voY6mqv9c5LQGM2odHIoqFlUbuU/)
   for two new media types. The "Incremental HTTP Messages" work is being done
   in HTTP WG and is cited as a normative reference. The chairs also sent a
   pointer to the Chunked OHTTP draft's last call to the HTTP WG mailing list;
   there's a large overlap in the people involved between the two groups.

Personnel

   The Document Shepherd for this document is Shivan Kaul Sahib. The
   Responsible Area Director is Mike Bishop.

IANA Note

  In the message namespace of the Media Types registry located at:

    https://www.iana.org/assignments/media-types/

  two new media types are registered:
  - ohttp-chunked-req
  - ohttp-chunked-res