IETF Logo Mail Archive

[quicwg/base-drafts] move security-critical client requirement on push to definitive sections (#4101)

"Roy T. Fielding" <notifications@github.com> Wed, 16 September 2020 00:30 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 355213A09A8 for <quic-issues@ietfa.amsl.com>; Tue, 15 Sep 2020 17:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.39
X-Spam-Level:
X-Spam-Status: No, score=-3.39 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ZcsPeZ-wy3F for <quic-issues@ietfa.amsl.com>; Tue, 15 Sep 2020 17:30:19 -0700 (PDT)
Received: from out-17.smtp.github.com (out-17.smtp.github.com [192.30.252.200]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96C5E3A0937 for <quic-issues@ietf.org>; Tue, 15 Sep 2020 17:30:19 -0700 (PDT)
Received: from github-lowworker-a6a2749.va3-iad.github.net (github-lowworker-a6a2749.va3-iad.github.net [10.48.16.62]) by smtp.github.com (Postfix) with ESMTP id 7E4315C00A0 for <quic-issues@ietf.org>; Tue, 15 Sep 2020 17:30:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1600216218; bh=Ja4O0LVEs62ZDhJ4AeAbUnvXeu/TBu9ssqcZzrFboXc=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=Ja+hnuUmUOKaDQM77O+PNahY9wSo4b1X64SzRpRh2KeIpmeYlllJs9IvF7VtWwZ7x qfaQJjdJuKJigBeNG/P+HYOcsQRofdkv6+Yjam+soAB+p5GADhg/eNU7LQur6qLySP njbFmZpDqkghadNhoZJJv4qitJOXwTxZc+JxiTB0=
Date: Tue, 15 Sep 2020 17:30:18 -0700
From: "Roy T. Fielding" <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKZAWXAIDQJFKLTJA755NU6ZVEVBNHHCTXJFEM@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/4101@github.com>
Subject: [quicwg/base-drafts] move security-critical client requirement on push to definitive sections (#4101)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f615c9a6e678_1c9e19f022106c"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: royfielding
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/mOEKdUP-6RsC4fyCiYccM3N9Jno>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2020 00:30:25 -0000

In the HTTP/3 draft 30, section 4.4 on Server Push says

```
   The server MUST include a value in the ":authority" pseudo-header
   field for which the server is authoritative; see Section 3.4.

   Clients SHOULD send a CANCEL_PUSH frame upon receipt of a
   PUSH_PROMISE frame carrying a request that is not cacheable, is not
   known to be safe, that indicates the presence of a request body, or
   for which it does not consider the server authoritative.
```

and then adds in 10.4 (https://tools.ietf.org/html/draft-ietf-quic-http-30#section-10.4)

```
   Pushed responses for which an origin server is not authoritative (see
   Section 3.4) MUST NOT be used or cached.
```

I don't think normative requirements belong in security considerations except in reference to that requirement elsewhere. Also, requirements in general should clearly state who is responsible for implementing them, whereas the latter requirement implies a client (maybe). And sending CANCEL_PUSH is kind of like the MUST NOT, but not really the same thing; it seems a bit weak in response given that the server just tried to poison the client.

I think the server MUST is an interop requirement because the client MUST NOT is a critical security requirement. I think both should be described in Server Push and merely noted in the Security Considerations, since they are really important. Way more important than the spec reads now.

My guess is that this is editorial, but is the kind of thing that should be fixed before IESG last call.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/4101

v2.23.0 | Report a Bug | By Email