IETF Logo Mail Archive

[Last-Call] Last call feedback on draft-ietf-ohai-ohttp-05

Mark Nottingham <mnot@mnot.net> Wed, 30 November 2022 03:38 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B34CC14CF00 for <last-call@ietfa.amsl.com>; Tue, 29 Nov 2022 19:38:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=YwDUgkTH; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=aEfYBi3K
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0PYtqnSuvn6g for <last-call@ietfa.amsl.com>; Tue, 29 Nov 2022 19:38:44 -0800 (PST)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19EE2C14CEFC for <last-call@ietf.org>; Tue, 29 Nov 2022 19:38:43 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id F0EB2320095E; Tue, 29 Nov 2022 22:38:38 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Tue, 29 Nov 2022 22:38:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to; s=fm2; t=1669779518; x=1669865918; bh=GI5ZasztgJ 8eYpx+q8Bve6sdHa3sbz73bgrXwXgyQWI=; b=YwDUgkTHqDoFZ50Hx8dOWzkYzE cEYabB1rBeaEPIqcISug8JXH8qUZzVfvCwasgEB4a9rfF/UrJvUz6XXpRaukrew4 aq7sWj9oamaJWe/ux4iDcBsQ/MH9Hfk+wr+VfkNS6+kD0oWVUaiTxlDWZpNJcy2A 9+wJgc5HHp6YKXjbdJ6ykgJ+eSmbHjLJOuh3J2h6JbH1ZRJaeVbTz3CS5YNMK/iG blm38aEjf1fTHgvhvUfgMOf1oQy5jvTAzUErNaRY0u1xTAUaOJWzFADEtDJphOvE YgCz+R1glW8rYY3TVSHoObaJ2UvvI170ePXf3meCsH0jM9fMv0RQQYi9INbg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1669779518; x=1669865918; bh=GI5ZasztgJ8eY px+q8Bve6sdHa3sbz73bgrXwXgyQWI=; b=aEfYBi3KXMqR7WrJZaCwui5AgiBqN aah6auYqiiCA5b9KtUY8YDBAbzteY6eAY+hecFfqTQ51Z0T5ejlOdpdSUzwauPsR MGM9C4AC2yX3ZhplpJrPNQP4Ff2dHkDSqChpVyROYDxqi8KYnEc4p2vISD5WeUn6 HGCL33xWBuPBQOA2mnU16ub7HG5YTmgB9dRxrO0oi9ahWy1weyHxSJNib3EY6Cpo 8ic3CMG8Q9zhVD+J/t1rRK00wQqjKgoIpNbV7kgXpaa5uHDjwp/l4rHKPsE7jY2h DT3tqS0YfDj8UTEXW1zAAv3qwzobWo4Yhfg2etAD5mwnGWyqi3J6Pwpeg==
X-ME-Sender: <xms:PtCGY0-CCD8Qx3kqvEX2-lLgEICmiVwteBHSacEVSTOFlPF6rtPjOQ> <xme:PtCGY8uRfGbVSSDtatgpvZULHzl_HL3EPZAksnGqqfdqfs7QqNvMYkXhdQANxNliR YmpOAWcQgB0oC6gyw>
X-ME-Received: <xmr:PtCGY6DNivYKghKhTsDu0SnmVD4nzxHA40eZuH2jPLy39Xt8_Nv0ao8Qm2MTb94-Apm2xkAY7W_M_M6Mw2dJL2IED4aoemcnY7hhzMaV-TD_941lS_OCcISX>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrtddvgdeitdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhtgfgggfukfffvefvofesthhqmhdthhdtvdenucfhrhhomhepofgrrhhkucfp ohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhnvghtqeenucggtffrrghtthgvrh hnpeeuuedvgfdukeeiheeuteeitdefgeetkefhueetvdffgeeihfetteduleekgeevjeen ucffohhmrghinheprghprhhogiihrghslhhonhhgrghsrghfvgiftghonhhsthhrrghinh htshgrrhgvohgsshgvrhhvvggurdhsohdpmhhnohhtrdhnvghtnecuvehluhhsthgvrhfu ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:PtCGY0e5OkIL1yDy8YjHBwECrsmOj_MyA0Uw0tE-Pvi21IvKk3LFmw> <xmx:PtCGY5NxLpHaU6aX-O-xrVl_FM_TEyTxIrpSgg_rPSFWpkohB768nw> <xmx:PtCGY-kJOzmcCRhchzCjdeo30TK48QlToFS1YjnEUjMUFdITHmCk4A> <xmx:PtCGY30GP_4V_9jnh1WArCk8eRvHtQc4feFvQsIUl30ugZrpIxWO1w>
Feedback-ID: ie6694242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 29 Nov 2022 22:38:36 -0500 (EST)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
Message-Id: <2302F2C4-BB02-46EC-8795-873C0675224F@mnot.net>
Date: Wed, 30 Nov 2022 14:38:12 +1100
Cc: Martin Thomson <mt@lowentropy.net>, Christopher Wood <caw@heapingbits.net>
To: Last Call <last-call@ietf.org>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/MDOXHZWbm8E-hCOWy_fy80-mh9w>
Subject: [Last-Call] Last call feedback on draft-ietf-ohai-ohttp-05
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2022 03:38:48 -0000

Hello,

Technically this document looks good; my feedback is merely about editorial issues and terminology. 


* This paragraph in the introduction doesn't really do the required work, and is slightly misleading (e.g., a relay resources doesn't process the messages or use HPKE).

OLD:

This document defines two kinds of HTTP resources -- Oblivious Relay Resources and Oblivious Gateway Resources -- that process encapsulated binary HTTP messages [BINARY] using Hybrid Public Key Encryption (HPKE; [HPKE]). They can be composed to protect the content of encapsulated requests and responses, thereby separating the identity of a requester from the request.

NEW:

To overcome these limitations, this document defines how encapsulated binary HTTP messages [BINARY] can be encrypted using Hybrid Public Key Encryption (HPKE; [HPKE]) to protect their contents. Clients exchange these messages with an Oblivious Gateway Resource, which is responsible for forwarding unencrypted requests to the original Target Resource and encrypting the corresponding responses and sending them back to the client. Critically, the encrypted, encapsulated messages are sent through a separate Oblivious Relay Resource to avoid exposing the client's IP address or allowing the connection to be used as a correlator between its requests. 

OLD:

Although this scheme requires support for two new kinds of oblivious resources, it represents a performance improvement over options that perform just one request in each connection.

NEW:

Because it allows connection reuse between the client and Oblivious Relay Resource, as well as between that relay and the Oblivious Gateway Resource, this scheme represents a performance improvement over using just one request in each connection.


* The term 'Obvivious Relay Resource' is a bit odd. Section 6.2 admits that it can be a normal HTTP intermediary (i.e. a proxy) as long as a few constraints are observed. So, it doesn't need to be a resource. I know that's the fashion with the MASQUE folks, but I'd suggest that this just be called an 'Oblivious Relay'  -- or, indeed, 'Oblivious Proxy'.


* The capital 'T' in 'Target Resource' creates a new concept and arguably causes confusion -- see e.g., draft-wood-ohai-unreliable-ohttp:

> A typical HTTP transaction consists of a request and response between a Client and Target Resource.

HTTP has no concept of a 'Target Resource'; it's just a 'resource' (see 9110 3.1). An easy fix would just be to use lowercase 'target'. I'd also consider lowercasing 'resource' throughout.





--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email