Re: [Ohttp] Request to Charter a New Working Group: Oblivious HTTP (OHTTP)
Eliot Lear <lear@lear.ch> Tue, 08 June 2021 10:10 UTC
Return-Path: <lear@lear.ch>
X-Original-To: ohttp@ietfa.amsl.com
Delivered-To: ohttp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB36C3A2B21; Tue, 8 Jun 2021 03:10:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.89
X-Spam-Level:
X-Spam-Status: No, score=-0.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PfL5hWiujZTJ; Tue, 8 Jun 2021 03:10:25 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 972653A2B20; Tue, 8 Jun 2021 03:10:18 -0700 (PDT)
Received: from [IPv6:2001:420:c0c0:1011::6] ([IPv6:2001:420:c0c0:1011:0:0:0:6]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 158AADnt108337 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Tue, 8 Jun 2021 12:10:14 +0200
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1623147014; bh=+T9e1y9+/jQbEavOJKYgzhzqtbCL26AIfIq14eCvxa4=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=VerhtcTgbDbDIZvE4Ucqowfx4mr2v51YlHM6ZzJ2SQHMWRYInqk+Ve791qTpCNJ5c YDEv2nsUjtDm0WRJeQDtzgCqjTbIBURHaciY1Igxj6wFJGAc+EiDcqGisf+ofSUd3Q KIX4e/GeSBmXq+y3usEVFXf6oSC3jt/Zap1buq3c=
To: 'IESG' <iesg@ietf.org>
Cc: ohttp@ietf.org, ietf <IETF@ietf.org>
References: <162309061157.32548.930649503797136245@ietfa.amsl.com>
From: Eliot Lear <lear@lear.ch>
Message-ID: <d8932acb-397b-25b9-7bab-50c1a313d583@lear.ch>
Date: Tue, 08 Jun 2021 12:10:08 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.10.2
MIME-Version: 1.0
In-Reply-To: <162309061157.32548.930649503797136245@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="ZsChkzgNVzkMm7nZXnO0vhVD8Ltdc6z1d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ohttp/bG5qUCPuGvRa3F2F7OkfUqEzA9o>
Subject: Re: [Ohttp] Request to Charter a New Working Group: Oblivious HTTP (OHTTP)
X-BeenThere: ohttp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Oblivious HTTP <ohttp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ohttp>, <mailto:ohttp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ohttp/>
List-Post: <mailto:ohttp@ietf.org>
List-Help: <mailto:ohttp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ohttp>, <mailto:ohttp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 10:10:31 -0000
Hi IESG,
Martin's draft is interesting, but I have several questions:
1. How is the key configuration authenticated and retrieved? I *think*
the intent is that a direct HTTPS request is made, but it's not
clear. Is it to a /.well-known something or other? Is it a GET or
a POST?
2. Is the use of this work likely to help miscreants more than those in
need of privacy?
3. Should we expect session capabilities be built in at higher layers
through identifiers passed in forms?
I want to spend just a little time on (2). If what we are doing is
standardizing tooling and providing libraries for BOTnets to operate
against web sites, where the web site has no recourse when it is
attacked, then why would anyone implement this? It also seems that this
tooling will hamper lawful intercept, *unless* session mechanisms are
re-established in the content, in which case, aren't we going to bring
on a rather large retooling? And if so, will the ends of the draft
actually be met?
Is this same service going to further harm clients by making it even
more difficult to block known malicious web sites? Not only would a
local deployment not be able to do this, but proxies themselves wouldn't
be able to spot malware. Combine that with some rather impressive
phishing capabilities of bad actors, and aren't we just hamstringing our
ability to put down malware attacks?
I am *asking* these questions, but I would rather that they get properly
discussed and answered before the WG is approved. What I would hate to
see is a lot of effort take place to land people right back to where
they were.
Eliot
On 07.06.21 20:30, IESG Secretary wrote:
> The IESG has received a request to charter a new working group,
> Oblivious HTTP (OHTTP). The proposed charter, which is a work in
> progress, can be found here:
>
> <https://datatracker.ietf.org/doc/charter-ietf-ohttp/>
>
> The charter will be discussed on the <ohttp@ietf.org> mailing list,
> which can be subscribed to here:
>
> <https://www.ietf.org/mailman/listinfo/ohttp>
>
> _______________________________________________
> IETF-Announce mailing list
> IETF-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-announce
>
- [Ohttp] Request to Charter a New Working Group: O… IESG Secretary
- Re: [Ohttp] Request to Charter a New Working Grou… Eliot Lear
- Re: [Ohttp] Request to Charter a New Working Grou… Michael Richardson
- Re: [Ohttp] Request to Charter a New Working Grou… Christian Huitema
- Re: [Ohttp] Request to Charter a New Working Grou… Michael Richardson
- Re: [Ohttp] Request to Charter a New Working Grou… Vittorio Bertola