IETF Logo Mail Archive

Re: Last Call: <draft-nottingham-safe-hint-05.txt> (The "safe" HTTP Preference) to Proposed Standard

Mark Nottingham <mnot@mnot.net> Thu, 23 October 2014 23:49 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDA871AD3EE for <ietf@ietfa.amsl.com>; Thu, 23 Oct 2014 16:49:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Amte97puDwYY for <ietf@ietfa.amsl.com>; Thu, 23 Oct 2014 16:49:33 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FB2A1AD3B4 for <ietf@ietf.org>; Thu, 23 Oct 2014 16:49:33 -0700 (PDT)
Received: from [192.168.1.83] (unknown [118.209.19.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 8B9C222E1F3; Thu, 23 Oct 2014 19:49:26 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Re: Last Call: <draft-nottingham-safe-hint-05.txt> (The "safe" HTTP Preference) to Proposed Standard
Message-Id: <53217238-CF32-4862-AFF1-15899AAE066C@mnot.net>
Date: Fri, 24 Oct 2014 10:49:23 +1100
To: IETF <ietf@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/byDNbbSpYs6gFnmmbi75gckRtSk
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 23:49:36 -0000

Stephen wrote:

> I think doing this is a bad idea and commented on that before
> on apps-discuss. [1] (Start of that mega-thread is [2])
> 
> I think all the same objections apply other than the one that
> called for the discussion to be had here rather than in appsawg.
> (And thanks Barry for doing that.)
> 
> S.
> 
> [1] https://www.ietf.org/mail-archive/web/apps-discuss/current/msg12628.html
> [2] https://www.ietf.org/mail-archive/web/apps-discuss/current/msg12512.html

We had that discussion before, but to recap where I think we're at:

> While it may be deployed, I suspect that standardising this
> will lead us down a bad path where effort is wasted on trying to
> develop more fine-grained values. I think the discussion so far
> indicates that such a development is highly likely no matter that
> the proponents of this would like it to remain a single bit
> signal forever.

This isn't relevant, as it's in LC now and no extensibility is allowed (as John points out).

> And while DNT is different from this in some respects, in others,
> they are the same - an underspecified signal is emitted by a browser
> in the hope that an unspecified and unenforceable action is taken
> by a server. The IETF did exactly the right thing in rejecting the
> idea of standardising DNT and should do the same here. (In fact,
> I bet if you asked W3C folks now, they might agree that taking
> on DNT was a mistake;-)

DNT doesn't work because the incentives are very poorly lined up; the user is asking the site to do something against its own interest. It needs legislative / regulatory cover to actually work.

Safe lines up the incentives very well; sites want to give the users the content they prefer. This is demonstrated on search engines, social network sites, and so on.

> Separately, (in terms of arguing against adoption), I don't believe
> this is required for interoperability, and could do some damage
> to interoperability, if badly implemented on the server side,
> and given the unspecified nature of the server side here that
> seems not unlikely.
> 
> For example, I'm concerned that the word safe may be interpreted
> in a way that is not intended and that is applied to more than
> just one request/response pair or even more than just the web.
> I've heard various Chinese folks, some government, some not, talk
> where translators have used the word safe to mean what appears to
> me to specifically denote a government controlled Internet. I would
> therefore be concerned that a browser emitting this signal might
> be treated as preferring a network where e.g. the use of encryption
> is at best frowned upon, where middleboxes interepting everything
> is considered the norm etc.

I really don't know what you're talking about here, Stephen. People who want to willfully misinterpret semantics will do so; we can't prevent that, and more to the point, someone in a position to perform a hostile MITM with legal cover will do so whatever the client says it wants.

> I don't know if that's likely or not but haven't seen this aspect
> raised. And I'm not sure that documenting that the prefer value
> is only meant to apply to *this* HTTP request/response pair will
> help much. If a single prefer header were to affect more than one
> request/response pair, then if e.g. my calendar emitted that signal
> (on the basis that it'd be no harm) that might cause a server to
> fail to send content to my browser that I need.

Again, I think you're seriously off base and hand-waving here, Stephen. Do you have any evidence that this will actually happen -- keeping in mind that this is already deployed on extremely large Web sites, and in major Web browsers?

> I'd also object to the text in the draft that says that a proxy
> "can be used" to enforce this, but doesn't say how. That could
> of course be deleted or maybe fixed if this is adopted, but I'd
> not be surprised to hear someone saying that adopting this means
> that we have already agreed to specify how a proxy can force this
> setting for all browsers. FWIW, I do not accept that proposition.


The obligations and capabilities of proxies are reasonably well-defined in HTTP, and we're currently looking at making that better.


Regards,

--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email