Re: [Ohttp] Meaning of "usage constraints" in charter
Vittorio Bertola <vittorio.bertola@open-xchange.com> Tue, 27 July 2021 12:49 UTC
Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: ohttp@ietfa.amsl.com
Delivered-To: ohttp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03D143A1068 for <ohttp@ietfa.amsl.com>; Tue, 27 Jul 2021 05:49:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MuyTuuYbt1yv for <ohttp@ietfa.amsl.com>; Tue, 27 Jul 2021 05:49:42 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87CA93A1069 for <ohttp@ietf.org>; Tue, 27 Jul 2021 05:49:42 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [10.20.28.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id 2F9696A0CB; Tue, 27 Jul 2021 14:49:40 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1627390180; bh=UoFGRuUMf8NhIv3xsg2s3U0O21napMQZwo8KyL6LpWQ=; h=Date:From:To:In-Reply-To:References:Subject:From; b=q5APISzCVGntUv7E//bUFlhbP6yYgTGm7yEhpFNoULti2lOXqwOk7nOZcKWusuv9U H8mM24H/j+YNySFDrCetnz7iEgpJ4z3A1PnVn/NOzGjvc3ALy3Ei96qGd1cRWNGHmn kIehJ/LQo/PlwtdoEzIVxKRRlUO404qugPoraL/e1Ttq/oFgA06SNfLNgYUgGl1X+5 VmIrfkgVzvGwprVNGq8FogGAImEA6iN2tuTbydXjwuMIxTFdfgACU7irxrT5PMgkw3 +ICMpEAfeeVsMaTogufiEyLlSaF8Z1Zd+FvjxL9N+eltzrLl2fQ+A6AMkEFAZZDn/j cms+1f69sNVBg==
Received: from appsuite-gw1.open-xchange.com ([10.20.28.81]) by imap.open-xchange.com with ESMTPSA id Z+WUC+QAAGE5CwAA3c6Kzw (envelope-from <vittorio.bertola@open-xchange.com>); Tue, 27 Jul 2021 14:49:40 +0200
Date: Tue, 27 Jul 2021 14:49:40 +0200
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, "ohttp@ietf.org" <ohttp@ietf.org>
Message-ID: <164791655.178472.1627390180052@appsuite-gw1.open-xchange.com>
In-Reply-To: <HE1PR0702MB37721B3DC9958D6FECAC24A595E99@HE1PR0702MB3772.eurprd07.prod.outlook.com>
References: <HE1PR0702MB37721B3DC9958D6FECAC24A595E99@HE1PR0702MB3772.eurprd07.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_178470_796463568.1627390180039"
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.5-Rev14
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/ohttp/4wqPKunV8q8Vyuv8vsPYa-KaFN8>
Subject: Re: [Ohttp] Meaning of "usage constraints" in charter
X-BeenThere: ohttp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Oblivious HTTP <ohttp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ohttp>, <mailto:ohttp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ohttp/>
List-Post: <mailto:ohttp@ietf.org>
List-Help: <mailto:ohttp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ohttp>, <mailto:ohttp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 12:49:48 -0000
> Il 27/07/2021 13:54 Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org> ha scritto: > > > > Hi, > > > I have a question regarding this paragraph in the updated charter: > > > The OHTTP working group will include an applicability statement that documents > > the limitations of this design and any usage constraints that are necessary to > > ensure that the protocol is secure. The working group will consider the > > operational impact > > > What is actually meant with usage constraints in the charter here? > > > To me it appears that for OHTTP to successfully meet its privacy preserving goals the HTTP endpoint that like to preserve its privacy not only need to have a method of getting the message to the HTTP server that doesn’t reveal the requestors IP address or otherwise makes it easy to figure out the origin. A method for this is clearly described in the charter that has certain properties. > > > However, the other aspects appear that one need to have good guidance on how to generate HTTP requests that doesn’t leak tracking information to the server anyway. It is not clear if the usage constraints are intended to describe best practices for how one construct HTTP requests that is difficult to profile and track. I can understand that some of these aspects may be dependent on the usage, but without a document discussing what HTTP headers etc that can be fairly safe to use, the limitations on usage may not be clear, and possible to interpret beyond any well known usages that a “usage constraint” may discuss. > Actually - others may correct me if I'm wrong - the reason for this mention of "usage constraints" and for the applicability statement in general is that several people (included myself) suggested that the charter should include an analysis of the operational issues, of the potential effects in terms of Internet centralisation through a likely concentration of OHTTP proxy services, and of non-technical impacts on other parties that need access to traffic information. As a reaction, it was said that this protocol is only meant for use in specialized cases such as browsers sending telemetry to their own home, i.e. the origin and the destination of the traffic being controlled by the same party, and one of the proxies being provided by a third party under a direct contractual agreement, without the user having to pick a proxy operator or choose among multiple ones; and this makes the above concerns redundant. I am still not convinced that this makes sense, as one would expect that once the protocol is published it will be deployed in many other ways which will bear significant policy and operational impacts, and so these impacts should be discussed since the beginning. But it's just my opinion. -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@open-xchange.com mailto:vittorio.bertola@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy
- [Ohttp] Meaning of "usage constraints" in charter Magnus Westerlund
- Re: [Ohttp] Meaning of "usage constraints" in cha… Vittorio Bertola
- Re: [Ohttp] Meaning of "usage constraints" in cha… Andrew Campling
- Re: [Ohttp] Meaning of "usage constraints" in cha… Thomas Mangin
- Re: [Ohttp] Meaning of "usage constraints" in cha… Mark Nottingham