[Ietf-message-headers] OSLC-Core-Version header registration request

Andrii Berezovskyi <andriib@kth.se> Sat, 06 February 2021 12:38 UTC

Return-Path: <andriib@kth.se>
X-Original-To: ietf-message-headers@ietfa.amsl.com
Delivered-To: ietf-message-headers@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C81D83A11F8 for <ietf-message-headers@ietfa.amsl.com>; Sat, 6 Feb 2021 04:38:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kth.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-YlKpQESRJw for <ietf-message-headers@ietfa.amsl.com>; Sat, 6 Feb 2021 04:38:49 -0800 (PST)
Received: from smtp-3.sys.kth.se (smtp-3.sys.kth.se [IPv6:2001:6b0:1:1300:250:56ff:fea6:2de2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FDA23A0D50 for <ietf-message-headers@ietf.org>; Sat, 6 Feb 2021 04:38:49 -0800 (PST)
Received: from smtp-3.sys.kth.se (localhost.localdomain [127.0.0.1]) by smtp-3.sys.kth.se (Postfix) with ESMTP id 2394A5A03 for <ietf-message-headers@ietf.org>; Sat, 6 Feb 2021 13:38:47 +0100 (CET)
X-Virus-Scanned: by amavisd-new at kth.se
Received: from smtp-3.sys.kth.se ([127.0.0.1]) by smtp-3.sys.kth.se (smtp-3.sys.kth.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 7WrBV-syBQtn for <ietf-message-headers@ietf.org>; Sat, 6 Feb 2021 13:38:42 +0100 (CET)
Received: from exdb02.ug.kth.se (exdb02.ug.kth.se [192.168.32.112]) by smtp-3.sys.kth.se (Postfix) with ESMTPS id C20805984 for <ietf-message-headers@ietf.org>; Sat, 6 Feb 2021 13:38:42 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kth.se; s=default; t=1612615122; bh=Sc7opyklIWhnEDHquWYwWtCpDUnpjCQpTL2kayyvCLs=; h=From:To:Subject:Date; b=luze2qcv8WHFU9bZ5QcHE0hqAwjvUv6FAKDa1H1X8WaCzvLZcuqDeHqHLgDehuZgh KKwVWfjaW7nBZuyYi7XIhpd+JMmxD4wdL8BcW38blj0ac39tNjs6rA0wrEas/IhVlP v7ImfHW6dmP0hWD8aQo81ckIfSdQg973JUvOsgmg=
Received: from exdb1.ug.kth.se (192.168.32.56) by exdb02.ug.kth.se (192.168.32.112) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 6 Feb 2021 13:38:41 +0100
Received: from exdb2.ug.kth.se (192.168.32.57) by exdb1.ug.kth.se (192.168.32.56) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Sat, 6 Feb 2021 13:38:41 +0100
Received: from exdb2.ug.kth.se ([192.168.32.57]) by exdb2.ug.kth.se ([192.168.32.57]) with mapi id 15.02.0792.003; Sat, 6 Feb 2021 13:38:41 +0100
From: Andrii Berezovskyi <andriib@kth.se>
To: "ietf-message-headers@ietf.org" <ietf-message-headers@ietf.org>
Thread-Topic: OSLC-Core-Version header registration request
Thread-Index: AQHW/IUADqbd1r/00EilMwR/DVVNlQ==
Date: Sat, 6 Feb 2021 12:38:41 +0000
Message-ID: <5C7A0ECD-AD00-442D-B39C-578980D8EFC6@kth.se>
Accept-Language: en-GB, en-US, sv-SE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
x-originating-ip: [192.168.32.250]
Content-Type: text/plain; charset="utf-8"
Content-ID: <482D60D941250045ADE5D6942A713A5F@ug.kth.se>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-message-headers/k3PGnmAAr6JyPCAJVrXIR7JYCQY>
Subject: [Ietf-message-headers] OSLC-Core-Version header registration request
X-BeenThere: ietf-message-headers@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion list for header fields used in Internet messaging applications." <ietf-message-headers.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-message-headers>, <mailto:ietf-message-headers-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-message-headers/>
List-Post: <mailto:ietf-message-headers@ietf.org>
List-Help: <mailto:ietf-message-headers-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-message-headers>, <mailto:ietf-message-headers-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Feb 2021 12:38:53 -0000

Hello,

OASIS Open Services for Lifecycle Collaboration (OSLC) Open Project (OP) would like to submit the following registration request:


Header field name: OSLC-Core-Version

Applicable protocol: http (RFC 2616 and its successors)

Status:
    standard (Project Specification 01 as per OASIS classification, has all the statements from the implementers to progress to the Candidate OASIS Standards once PS02 is published with the changes related to this registration request)

Author/Change controller:
    OASIS (can be Chet Ensign or the OASIS OSLC OP Project Governing Board (PGB) itself)

Specification document(s):
    https://docs.oasis-open-projects.org/oslc-op/core/v3.0/oslc-core.html (§4.2, Part 1, approved Project Specification 01)
    https://oslc-op.github.io/oslc-specs/specs/core/oslc-core.html (latest draft that will have to be voted on again once this registration request has been considered by IETF, contains ABNF as per the registration requirements)
    https://archive.open-services.net/bin/view/Main/OslcCoreSpecification#Specification_Versioning (spec that introduced the header)

Related information:
    OSLC-Core-Version header has been in active use by OSLC implementations since 2009.
    https://github.com/oslc-op/oslc-specs/issues/459
    This submission is made in preparation to progressing OSLC Core specification to the OASIS Standard stage (currently Project Specification stage has passed and Candidate OASIS Specification stage is next).


Answers to the considerations in https://tools.ietf.org/html/rfc7231#section-8.3:

1) Field is a single value.
2) The field can be used for both requests and responses; the spec defines the expected behaviour.
3) The header is not to be stored by the origin servers on PUT requests.
4) The semantics of the header only depend on whether a server or a client is sending it.
5) The header field is not hop-by-hop.
6) Intermediaries between OSLC servers and OSLC clients shall not insert or alter this header unless they are themselves OSLC servers or OSLC clients.
7) Yes, the header may be listed in the Vary header because the server may serve different content depending on the OSLC-Core-Version capability of the client.
8) No, the header is not generated dynamically and is not useful as a chunked trailer.
9) Yes, the header is to be preserved across redirects.
10) No private data is disclosed in the header. No security implications arise from this header alone as it only guides clients and servers on the version of the high-level protocol and is independent of the protocols that constitute a larger attack surface such as HTTP, TLS, oAuth. The attacker may infer from a value of a header that a certain feature is not supported by an old client or server (e.g. OSLC 2 uses oAuth 1.0 and OSLC 3 recommends OIDC 1.0). The attacker may also indirectly try to guess that an old client or server may run old software such as JDK 7 and use insecure settings due to a lack of new TLS version support etc. We don't think, however, that this header introduces any significant information for the attacked they could not gather on their own. 

Thank you kindly for your time and the consideration of our application.

Best regards,
Andrew Berezovskyi

OSLC OP PGB co-chair