Re: I-D Action: draft-nottingham-safe-hint-06.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 13 February 2015 01:23 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F1D1A03A0 for <ietf@ietfa.amsl.com>; Thu, 12 Feb 2015 17:23:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0P08zTQbs6Et for <ietf@ietfa.amsl.com>; Thu, 12 Feb 2015 17:23:19 -0800 (PST)
Received: from mail-pd0-f171.google.com (mail-pd0-f171.google.com [209.85.192.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A7821A0264 for <ietf@ietf.org>; Thu, 12 Feb 2015 17:23:08 -0800 (PST)
Received: by pdjg10 with SMTP id g10so15859369pdj.1 for <ietf@ietf.org>; Thu, 12 Feb 2015 17:23:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=6F0+p452oZikjDrwAIFbK5YBFWGM85rZrei2Gzhu4aw=; b=DvF86S7GVL2ayrgH7QN3MsqsdVcz52BgfEd9vaUPyfRNF/vNC/T2AhlDIIUuHIRGt+ ro/lcH+JwrxHvbWWAOjegGJIlMdrE1w9pRu8KT3yh75YKQDha6lT42rdWMRDSxKERllX 6ooF+fnEKiP1zK1hw54tBZiJbPxRUobbVXGPCKV57jKsjisjcctfnPfYnUORs/uGAYO4 J5w08FsVpaTZVmj/uXK2YpCAo9783G3sXrPX3k4j/pgnu3PKieEY+YGnVsZqbb8d0T1A Et4nIzpNFrr0FzwFZ0ZJxYnhJxAaVNo6sOtEYjJc1vWGz5fp7LGRN5LZVn8/fq4ta5pj jIKg==
X-Received: by 10.68.133.165 with SMTP id pd5mr11040462pbb.13.1423790588193; Thu, 12 Feb 2015 17:23:08 -0800 (PST)
Received: from ?IPv6:2406:e007:4e17:1:28cc:dc4c:9703:6781? ([2406:e007:4e17:1:28cc:dc4c:9703:6781]) by mx.google.com with ESMTPSA id n2sm5001510pdo.0.2015.02.12.17.23.04 for <ietf@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Feb 2015 17:23:07 -0800 (PST)
Message-ID: <54DD5200.9020204@gmail.com>
Date: Fri, 13 Feb 2015 14:23:12 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: IETF discussion list <ietf@ietf.org>
Subject: Re: I-D Action: draft-nottingham-safe-hint-06.txt
References: <20150213004713.8331.22753.idtracker@ietfa.amsl.com>
In-Reply-To: <20150213004713.8331.22753.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/zoHwfopiiHxy8qUzCFgvB1ZxEws>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Feb 2015 01:23:22 -0000

So, I am seriously wondering how the IETF would react to a
proposal to standardise some other kind of hint in HTTP requests.
For example, if you happen to like or hate the colour green,
and/or ecologically-friendly solutions, how about a standard which
contains text like the following?

4. Security Considerations

   The "green" preference is not a secure mechanism; it can be inserted
   or removed by intermediaries with access to the request stream (e.g.
   for "http://" URLs).  Its presence reveals limited information about
   the user, which may be of small assistance in "fingerprinting" the
   user.

   By its nature, including "green" in requests does not assure that all
   content will actually be green; it is only when servers elect to honor
   it that content might be "green".

   Even then, a malicious server might adapt content so that it is even
   less "green" (by some definition of the word).  As such, this
   mechanism on its own is not enough to assure that only "green" content
   is seen; those who wish to ensure that will need to combine its use
   with other techniques (e.g., content filtering).

   Furthermore, the server and user may have differing ideas regarding
   the semantics of "green."  As such, the "greenness" of the user's
   experience when browsing from site to site might (and probably will)
   change.

The more I look at this draft, the less it seems like a meaningful idea.
The latest tweaks don't help.

    Brian