IETF Logo Mail Archive

Re: [Ohai] Working Group Last Call for draft-ietf-ohai-svcb-config

Tommy Pauly <tpauly@apple.com> Mon, 19 June 2023 14:21 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: ohai@ietfa.amsl.com
Delivered-To: ohai@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1BDBC14068D for <ohai@ietfa.amsl.com>; Mon, 19 Jun 2023 07:21:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Nt6CMoVAMMD for <ohai@ietfa.amsl.com>; Mon, 19 Jun 2023 07:21:53 -0700 (PDT)
Received: from rn-mailsvcp-mx-lapp03.apple.com (rn-mailsvcp-mx-lapp03.apple.com [17.179.253.24]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 267F6C15EB2E for <ohai@ietf.org>; Mon, 19 Jun 2023 07:21:53 -0700 (PDT)
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by rn-mailsvcp-mx-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RWI00EXJ7WGXJ10@rn-mailsvcp-mx-lapp03.rno.apple.com> for ohai@ietf.org; Mon, 19 Jun 2023 07:21:52 -0700 (PDT)
X-Proofpoint-GUID: tIPIaB949arYjbDPRqnfAl-rK8AcfaBL
X-Proofpoint-ORIG-GUID: tIPIaB949arYjbDPRqnfAl-rK8AcfaBL
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.591, 18.0.957 definitions=2023-06-19_10:2023-06-14, 2023-06-19 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 phishscore=0 malwarescore=0 suspectscore=0 mlxscore=0 bulkscore=0 mlxlogscore=999 adultscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2305260000 definitions=main-2306190131
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=E8ceLF9Cd0ixMR3jNUgFdTkIeDt4fo2zn69uPwcuuSE=; b=IjOKOe26Qxeatt9rb+sIO9kSHXVYGJH5lw3cdEIpm7CdfuG1i4/3P8VE4dXMaycpAjMd IVkXI4iwjPnCdCX+JLoD/ehIJq4fb1BQZbxJ/UizPG3mrZflHAx+0hjra6ZNn901OWlQ Ey1Ypb8dYz/6NU8J2LaXYJx+iL+/ZS9pCof7jb4nCYrJIlZEPDMMl04DMplczl8jdXm1 a3ETaGsTl8rKozEMrLlZI/rg2/P4UXpyNEUbTXDuXmaqi9IZGRpNwzlC9X1ZC8ts5AdC hIu1Uh9VKCESsG5h2kfQmHyvL99W2Bxo2dUKLTdHWLM7LJJeY+RvmmsMZoLIp0eECuCH kA==
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RWI00Y0D7WGG660@rn-mailsvcp-mta-lapp02.rno.apple.com>; Mon, 19 Jun 2023 07:21:52 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) id <0RWI00O007ASFK00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Mon, 19 Jun 2023 07:21:52 -0700 (PDT)
X-Va-A:
X-Va-T-CD: cd3e0771b0c3f9b3e3441d275890bd10
X-Va-E-CD: 944a4a81ff2df93f559e5d6bf8743316
X-Va-R-CD: e36971adea71fa0e4db2036425d38a67
X-Va-ID: 7373fa8e-2f8d-42bf-b900-e6d8c1d8b65d
X-Va-CD: 0
X-V-A:
X-V-T-CD: cd3e0771b0c3f9b3e3441d275890bd10
X-V-E-CD: 944a4a81ff2df93f559e5d6bf8743316
X-V-R-CD: e36971adea71fa0e4db2036425d38a67
X-V-ID: 2d3089d1-3b00-4f4d-ac7d-7184e5362d60
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.591, 18.0.957 definitions=2023-06-19_10:2023-06-14, 2023-06-19 signatures=0
Received: from smtpclient.apple ([17.234.56.18]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPSA id <0RWI004537WFLH00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Mon, 19 Jun 2023 07:21:52 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <0840DB05-879C-4389-993C-36D21226CEBF@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_254E0043-D6E7-4BAA-BAB8-2B59EE53CBD5"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3762.100.4.1.11\))
Date: Mon, 19 Jun 2023 07:21:40 -0700
In-reply-to: <CAG3f7Mj9i9SARjpREtqRuWnvZHCAqqQU6yq+zbSQK5O+6vJixQ@mail.gmail.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Martin Thomson <mt@lowentropy.net>, ohai@ietf.org
To: Shivan Kaul Sahib <shivankaulsahib@gmail.com>
References: <CAG3f7Mg7o6umKkvK_G+FXpicBjPOFN74s9BpvaKvUEvv7Lpo3g@mail.gmail.com> <acad59e1-c91d-4f02-992c-7918db4009b9@betaapp.fastmail.com> <921B97FE-3D46-4565-9754-88C2C41E27FF@apple.com> <2d13310f-e3e2-4cfd-8e17-b9e5506d2ec4@app.fastmail.com> <5E359C4F-DAEA-446C-8AE9-D582BACADE35@apple.com> <CAG3f7Mj9i9SARjpREtqRuWnvZHCAqqQU6yq+zbSQK5O+6vJixQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3762.100.4.1.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ohai/CNzxMvkGAtzjYwkrFiPWFqUhwDU>
Subject: Re: [Ohai] Working Group Last Call for draft-ietf-ohai-svcb-config
X-BeenThere: ohai@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Oblivious HTTP Application Intermediation <ohai.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ohai>, <mailto:ohai-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ohai/>
List-Post: <mailto:ohai@ietf.org>
List-Help: <mailto:ohai-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ohai>, <mailto:ohai-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jun 2023 14:21:54 -0000

Hi Shivan, all,

We’ve published a new version now that the last issue/PR is resolved.

Thanks,
Tommy

> On Jun 16, 2023, at 2:26 PM, Shivan Kaul Sahib <shivankaulsahib@gmail.com> wrote:
> 
> Hi all, thanks for the review and discussion. The chairs think there is consensus to advance this document -- there were several statements of support and no objections. I'll note that there is one open issue, https://github.com/ietf-wg-ohai/draft-ohai-svcb-config/issues/42 which is still being discussed at https://github.com/ietf-wg-ohai/draft-ohai-svcb-config/pull/46. We'll need a new draft version once we agree on the text.
> 
> On Thu, 8 Jun 2023 at 20:24, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org <mailto:40apple.com@dmarc.ietf.org>> wrote:
>> Thanks for that clarification. To track this, I’ve filed https://github.com/ietf-wg-ohai/draft-ohai-svcb-config/issues/39, and I’ve opened a pull request to address this here: https://github.com/ietf-wg-ohai/draft-ohai-svcb-config/pull/40.
>> 
>> Please review and provide suggestions!
>> 
>> Best,
>> Tommy
>> 
>>> On May 26, 2023, at 3:35 AM, Martin Thomson <mt@lowentropy.net <mailto:mt@lowentropy.net>> wrote:
>>> 
>>> On Thu, May 25, 2023, at 19:08, Tommy Pauly wrote:
>>>> To clarify, what specifically were you suggesting that the draft should 
>>>> be explicit about with a MUST? Would that be telling the client to 
>>>> always request the well-known and follow the redirect each time, thus 
>>>> treating even permanent redirects as temporary? I think that is 
>>>> reasonable as a performance loss, given that the client won’t look up 
>>>> the key configuration for each request, but will be able to reuse the 
>>>> configuration as long as it is valid.
>>> 
>>> Good questions.  This probably needs a little unpacking.  (I composed the original on my phone, but I have a real keyboard now.)
>>> 
>>> We have a single resource at /.well-known/ohttp-gateway that performs two functions: the retrieval of a key configuration and oblivious requests.  For the stated reasons, it might be nice if that could redirect to somewhere else.
>>> 
>>> For retrieval of key configurations, I agree that an extra query is workable.
>>> 
>>> It is the oblivious requests that concern me.  Here, the URL is really only something that is used by the relay.  So maybe there is an answer there that relates to the operation of a relay.  This might even be something the core specification could use.
>>> 
>>> This won't be a pre-arranged setup, so we can't start by assuming that the relay knows the gateway URL.  Therefore, the client is telling the relay about the gateway somehow.  If the client says "example.com <http://example.com/>" (without a path) and the relay fills in the well-known path, that is mostly fine as far as tracking the client goes[1].  The client might provide a full URL to the gateway, but uses the well-known URL, with identical effect.  Telling the relay about a redirected URL invites targeting though, especially if the original fetch was not made using a proxy.  308 -> https://gateway.example/your.ip.address.here might not meet our privacy goals.  If the client remembers the redirected path from its key configuration fetch, then the gateway is potentially able to link requests, so we might MUST NOT something about that.
>>> 
>>> For oblivious requests like this, the nice thing is that the relay is in a position to follow and remember redirects for all clients.  The first client to access that gateway through the relay might suffer an extra round trip, but subsequent requests can use the redirected location (let us say that the redirect is a 308).  That is probably something that we could note in the main spec as well or instead.
>>> 
>>> [1] 'unique-id-for-client.example' remains a tiny bit of a concern, but the relay can maybe be relied upon to help detect that sort of badness and we are able to rely on DNS caching... to some extent.
>>> 
>>> -- 
>>> Ohai mailing list
>>> Ohai@ietf.org <mailto:Ohai@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/ohai
>> 
>> -- 
>> Ohai mailing list
>> Ohai@ietf.org <mailto:Ohai@ietf.org>
>> https://www.ietf.org/mailman/listinfo/ohai
> -- 
> Ohai mailing list
> Ohai@ietf.org
> https://www.ietf.org/mailman/listinfo/ohai

v2.23.0 | Report a Bug | By Email