IETF Logo Mail Archive

Re: [websec] Well-known URIs

Mark Nottingham <mnot@mnot.net> Fri, 09 August 2013 10:02 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A41221F96B6 for <websec@ietfa.amsl.com>; Fri, 9 Aug 2013 03:02:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BhcnJqy-6t9d for <websec@ietfa.amsl.com>; Fri, 9 Aug 2013 03:02:08 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by ietfa.amsl.com (Postfix) with ESMTP id E9CA921F9633 for <websec@ietf.org>; Fri, 9 Aug 2013 03:02:07 -0700 (PDT)
Received: from [10.177.76.220] (unknown [115.160.170.218]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 4E1D850A88; Fri, 9 Aug 2013 06:02:02 -0400 (EDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAOuvq21cUqt-cXNM5xnektO-0yJq-gvXa5xoEREz26vTQiTFAA@mail.gmail.com>
Date: Fri, 09 Aug 2013 18:01:51 +0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <A7D680A6-46AA-4E79-A0EA-07F0D57A6037@mnot.net>
References: <4CF90F65-62CE-4AE0-9113-932F93A98782@mnot.net> <CAOuvq21cUqt-cXNM5xnektO-0yJq-gvXa5xoEREz26vTQiTFAA@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
X-Mailer: Apple Mail (2.1508)
X-Mailman-Approved-At: Fri, 09 Aug 2013 04:27:12 -0700
Cc: "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] Well-known URIs
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2013 10:02:13 -0000

On 09/08/2013, at 3:31 AM, Chris Palmer <palmer@google.com> wrote:

> On Thu, Aug 8, 2013 at 5:35 AM, Mark Nottingham <mnot@mnot.net> wrote:
> 
>> 1. Well-known URIs are designed for cases where the client wants to get a bunch of *related* data together; as such, a general framework is encouraged, as long as the use cases are similar.
>> 
>> This is why I don't like hostmeta; it's a bucket for anything you want to throw in there, which means that over time, the client will be getting a lot of information they don't want, which will necessitate a query language, which is just nasty overkill. At the other end of the spectrum, having a single-use well-known URI in the critical path (or even not) for a browser is similarly Not A Good Idea.
> 
> Can you say clearly what else we should stuff into the W-K URI for
> HPKP? What other working groups and standards bodies are we going to
> have to reach consensus with?

Um, implementers?

> 
>> 3. Alternatively, if browsers are pre connecting, they could use the conn to fetch a well-known URI, as long as it was cheap to fetch. That policy file could even control how aggressively the browser pre-connects (two birds, one stoneā€¦).
> 
> You just said it should *not* become a catch-all bucket.

It's a subtle thing. You want things that tend to be accessed at the same time, by the same clients; that's the shape of the bucket. They may or may not be related conceptually; it's all about audience (sort of like user-centred design).

Cheers,



--
Mark Nottingham   http://www.mnot.net/

v2.23.0 | Report a Bug | By Email