IETF Logo Mail Archive

Re: [quicwg/base-drafts] Rework HTTP authority/coalescing again (#4808)

kaduk <notifications@github.com> Tue, 26 January 2021 04:23 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE7A23A1BAA for <quic-issues@ietfa.amsl.com>; Mon, 25 Jan 2021 20:23:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.449
X-Spam-Level:
X-Spam-Status: No, score=-1.449 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dWgi_3Qqqi7H for <quic-issues@ietfa.amsl.com>; Mon, 25 Jan 2021 20:23:40 -0800 (PST)
Received: from out-19.smtp.github.com (out-19.smtp.github.com [192.30.252.202]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EEDB3A1BA9 for <quic-issues@ietf.org>; Mon, 25 Jan 2021 20:23:40 -0800 (PST)
Received: from github.com (hubbernetes-node-f3777b1.va3-iad.github.net [10.48.18.81]) by smtp.github.com (Postfix) with ESMTPA id 7D8C5E0809 for <quic-issues@ietf.org>; Mon, 25 Jan 2021 20:23:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1611635019; bh=q4gSOmOg1iFH6N/N4Lpzgnt9PKJrfa7qiaKF3tmGS78=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Zj+nEnUXxf0eV20s79JJj8LZF+0A0NgYMa8EjCuSa/wD7gJLb6NA136gYTygtD1Xu lflW6S9IVtSdeeSMDVPnG18ZPc45ifb2qnkKCOXwwRXtj2e7A2X73Uwwyhi4HgvbTZ 9c87XjkQnQxW4+7mcZsdFisqaN+JDWCn19cINYFE=
Date: Mon, 25 Jan 2021 20:23:39 -0800
From: kaduk <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK7MTG4UJ3CH4Z25MFF6DN5EXEVBNHHC6NYGYM@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/4808/review/576000242@github.com>
In-Reply-To: <quicwg/base-drafts/pull/4808@github.com>
References: <quicwg/base-drafts/pull/4808@github.com>
Subject: Re: [quicwg/base-drafts] Rework HTTP authority/coalescing again (#4808)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_600f994b7a8aa_3be21a0462048"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kaduk
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/hTFHm1bzkFiLyRJdncWR-GhQZIM>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2021 04:23:42 -0000

@kaduk approved this pull request.

This is good; thank you.
The minor inline comment might also be addressed in [SEMANTICS] instead of here, I think.

> -that server as being authoritative for all origins with the "https" scheme and a
-host identified in the certificate.  The host must be listed either as the CN
-field of the certificate subject or as a dNSName in the subjectAltName field of
-the certificate; see {{!RFC6125}}.  For a host that is an IP address, the client
-MUST verify that the address appears as an iPAddress in the subjectAltName field
-of the certificate.
-
-If the hostname or address is not present in the certificate, the client MUST
-NOT consider the server authoritative for origins containing that hostname or
-address.  See Section 4.3 of {{!SEMANTICS}} for more detail on authoritative
-access.
+component of the URI.  Upon receiving a server certificate in the TLS handshake,
+the client MUST verify that the certificate is an acceptable match for the URI's
+origin server using the process described in Section 4.3.4 of {{!SEMANTICS}}. If
+the certificate cannot be verified with respect to the URI's origin server, the
+client MUST NOT consider the server authoritative for that origin.

This seems to be the only place that we clearly state that failed verification implies not authoritative.  [SEMANTICS] does talk about attributing authority to a  server based on certificate validation, but in 4.3.3, not 4.3.4.
What we say for "normal" re-use seems to be okay without such a (re)statement, since we just say "don't reuse; open a new connection" which would get us back to the procedures here.  But for server-push we might want to reiterate that failed verification means not authoritative (and then we fall through to the subsequent paragraph for "SHOULD send CANCEL_PUSH" for non-authoritative pushes).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/4808#pullrequestreview-576000242

v2.23.0 | Report a Bug | By Email