Re: [quicwg/base-drafts] Authoritative access in HTTP/3 (#3558)

Martin Thomson <notifications@github.com> Tue, 31 March 2020 04:54 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAAA13A1AE7 for <quic-issues@ietfa.amsl.com>; Mon, 30 Mar 2020 21:54:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level:
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7O9sLf81os4q for <quic-issues@ietfa.amsl.com>; Mon, 30 Mar 2020 21:54:27 -0700 (PDT)
Received: from out-23.smtp.github.com (out-23.smtp.github.com [192.30.252.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 932F73A1AE5 for <quic-issues@ietf.org>; Mon, 30 Mar 2020 21:54:27 -0700 (PDT)
Date: Mon, 30 Mar 2020 21:54:26 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1585630466; bh=tD+GihEXm+ZJOd6tRaGsfuFtmoDALJzYerqs717XxjI=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=aluU2elCzLd8qqOOkZ8WuD1rCPvSwOo/fH4VMyxw6mjAVCENoYizDSor9ENHRlK4a QIa4mrN5BNiv2EdZCn2yeCght72ejI3rjU3EQJgEiWekRyhV06+1vn4XXdwdwq6Az8 xpGuN1ECCwjxDt/dydJCUDzm6kX+iDafEmaW2h8o=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKYUDOW42PC4K7Y62XV4R2XAFEVBNHHCGMY7Y4@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3558/review/384399615@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3558@github.com>
References: <quicwg/base-drafts/pull/3558@github.com>
Subject: Re: [quicwg/base-drafts] Authoritative access in HTTP/3 (#3558)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e82cd027ee88_3d193fa8fc6cd95c193461"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/Jc5jDkKdN68lvcRYdI9LrEcAFCU>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2020 04:54:30 -0000

@martinthomson approved this pull request.



> +server presents a certificate that verifiably applies to the host, along with
+proof that it controls the corresponding private key, then a client will accept
+a secured connection to that server as being authoritative for all origins with
+the same scheme and host.
+
+When an "https" URI is used within a context that calls for access to the
+indicated resource, a client MAY attempt access by resolving the host identifier
+to an IP address, establishing a QUIC connection to that address on the
+indicated port, and sending an HTTP/3 request message to the server over that
+secured connection containing the URI's identifying data.
+
+Although HTTP is independent of the transport protocol, the "http" scheme
+associates authority with the ability to receive TCP connections on the
+indicated port of whatever host is identified within the authority component.
+Because HTTP/3 does not use TCP, HTTP/3 cannot be used for direct access to the
+authoritative server.  However, protocol extensions such as {{!ALTSVC=RFC7838}}

This seemed incomplete.

```suggestion
authoritative server for a resource identified by an "http" URI.  However, protocol extensions such as {{!ALTSVC=RFC7838}}
```

> +
+When an "https" URI is used within a context that calls for access to the
+indicated resource, a client MAY attempt access by resolving the host identifier
+to an IP address, establishing a QUIC connection to that address on the
+indicated port, and sending an HTTP/3 request message to the server over that
+secured connection containing the URI's identifying data.
+
+Although HTTP is independent of the transport protocol, the "http" scheme
+associates authority with the ability to receive TCP connections on the
+indicated port of whatever host is identified within the authority component.
+Because HTTP/3 does not use TCP, HTTP/3 cannot be used for direct access to the
+authoritative server.  However, protocol extensions such as {{!ALTSVC=RFC7838}}
+permit the authoritative server to identify other services which are also
+authoritative and which might be reachable over HTTP/3.
+
+Prior to making requests for an origin whose scheme is not "https," the client

Style question, is this quoting "dialog," in the sense that you put the comma under the quotes?  Either way, this isn't consistent with the remainder of the paragraph.

```suggestion
Prior to making requests for an origin whose scheme is not "https", the client
```

> +secured connection containing the URI's identifying data.
+
+Although HTTP is independent of the transport protocol, the "http" scheme
+associates authority with the ability to receive TCP connections on the
+indicated port of whatever host is identified within the authority component.
+Because HTTP/3 does not use TCP, HTTP/3 cannot be used for direct access to the
+authoritative server.  However, protocol extensions such as {{!ALTSVC=RFC7838}}
+permit the authoritative server to identify other services which are also
+authoritative and which might be reachable over HTTP/3.
+
+Prior to making requests for an origin whose scheme is not "https," the client
+MUST ensure the server is willing to serve that scheme.  If the client intends
+to make requests for an origin whose scheme is "http", this means that it MUST
+obtain a valid `http-opportunistic` response for the origin as described in
+{{!RFC8164}} prior to making any such requests.  Other schemes might define
+other mechanisms.

The preceding two paragraphs might be best split off into a subsection as they relate to the "http" scheme.

> +Although HTTP is independent of the transport protocol, the "http" scheme
+associates authority with the ability to receive TCP connections on the
+indicated port of whatever host is identified within the authority component.
+Because HTTP/3 does not use TCP, HTTP/3 cannot be used for direct access to the
+authoritative server.  However, protocol extensions such as {{!ALTSVC=RFC7838}}
+permit the authoritative server to identify other services which are also
+authoritative and which might be reachable over HTTP/3.
+
+Prior to making requests for an origin whose scheme is not "https," the client
+MUST ensure the server is willing to serve that scheme.  If the client intends
+to make requests for an origin whose scheme is "http", this means that it MUST
+obtain a valid `http-opportunistic` response for the origin as described in
+{{!RFC8164}} prior to making any such requests.  Other schemes might define
+other mechanisms.
+
+Connectivity problems (e.g. firewall blocking UDP) can result in QUIC connection

```suggestion
Connectivity problems (e.g., firewall blocking UDP) can result in QUIC connection
```

> +authoritative server.  However, protocol extensions such as {{!ALTSVC=RFC7838}}
+permit the authoritative server to identify other services which are also
+authoritative and which might be reachable over HTTP/3.
+
+Prior to making requests for an origin whose scheme is not "https," the client
+MUST ensure the server is willing to serve that scheme.  If the client intends
+to make requests for an origin whose scheme is "http", this means that it MUST
+obtain a valid `http-opportunistic` response for the origin as described in
+{{!RFC8164}} prior to making any such requests.  Other schemes might define
+other mechanisms.
+
+Connectivity problems (e.g. firewall blocking UDP) can result in QUIC connection
+establishment failure; clients SHOULD attempt to use TCP-based versions of HTTP
+in this case.
+
+Servers MAY serve HTTP/3 on any UDP port; an alternative always includes

```suggestion
Servers MAY serve HTTP/3 on any UDP port; an alternative service advertisement always includes
```

Not sure about the use of "advertisement" as that is not in the established nomenclature, but it's hard to distinguish between the service being provided and the declaration of that service being available.

> +an IP address, the client MUST verify that the address appears in the
+subjectAltName of the certificate.

```suggestion
an IP address, the client MUST verify that the address appears as an iPAddress in
the subjectAltName field of the certificate.
```

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3558#pullrequestreview-384399615