Re: [quicwg/base-drafts] Require 8164 validation for non-https origins (#2973)

Martin Thomson <notifications@github.com> Thu, 22 August 2019 01:18 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1697120132 for <quic-issues@ietfa.amsl.com>; Wed, 21 Aug 2019 18:18:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Level:
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E4zrUM8HrZ09 for <quic-issues@ietfa.amsl.com>; Wed, 21 Aug 2019 18:18:14 -0700 (PDT)
Received: from out-23.smtp.github.com (out-23.smtp.github.com [192.30.252.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E399112010E for <quic-issues@ietf.org>; Wed, 21 Aug 2019 18:18:13 -0700 (PDT)
Date: Wed, 21 Aug 2019 18:18:12 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1566436692; bh=1HbSaKWYhlavPjbcwSMrmAlT32CEYQTDNpORG7J9NYc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=0+l+jZiAjZqwGWNNVEakKg+kg5KDKthhdqtVj4+XNHbF86pZAYV2UcDDu+BI9V3sa OVgEW80IUqWeICyXgjr1IexMplTVtg2yn7f0I+PDam6lRJxc9a+1Yd7uLLbDfjI0tY ASr9ltZRcyl4qj8Zu7MkoC8LgkR5Ax9uGkQg8qwk=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK6S4AZUFY2PQWYOVE53NMP5JEVBNHHBZNTPCY@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2973/review/278148511@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2973@github.com>
References: <quicwg/base-drafts/pull/2973@github.com>
Subject: Re: [quicwg/base-drafts] Require 8164 validation for non-https origins (#2973)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d5ded54c9d58_69c73ff5820cd96c3823c2"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/-km1FmWmWGm3zHBEA6ONrisUNk8>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2019 01:18:16 -0000

martinthomson commented on this pull request.



> @@ -381,6 +381,10 @@ certificate for the origin before considering it authoritative. Clients MUST NOT
 assume that an HTTP/3 endpoint is authoritative for other origins without an
 explicit signal.
 
+If the client intends to make requests for an origin containing a scheme other
+than "https", it MUST also obtain a valid `http-opportunistic` response for the

Yes, but the point of this is to point at a specific mechanism, which only applies to "http".  I'd be OK with leaving an impression that other protocols might need similar checks, that might be OK with me, but coming right out and saying that they definitely do is a bit of a big deal.

Saying that they have to use the HTTP mechanism is just wrong.  Part of the way in which that mechanism was designed was in response to HTTP-specific problems.  I'm sure that HTTP isn't unique in this regard, but it doesn't mean that you can't just start using "new-uri-scheme" without additional safeguards if that scheme was designed that way.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2973#discussion_r316463068