Re: [Wpack] Sec-Content-Origin clarification question (was Re: About content-based origins)
Jeffrey Yasskin <jyasskin@chromium.org> Wed, 25 March 2020 19:18 UTC
Return-Path: <jyasskin@google.com>
X-Original-To: wpack@ietfa.amsl.com
Delivered-To: wpack@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32FB33A09AE for <wpack@ietfa.amsl.com>; Wed, 25 Mar 2020 12:18:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.25
X-Spam-Level:
X-Spam-Status: No, score=-9.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJCkTvnDcy63 for <wpack@ietfa.amsl.com>; Wed, 25 Mar 2020 12:18:54 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F9953A091D for <wpack@ietf.org>; Wed, 25 Mar 2020 12:18:54 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id k13so3880229qki.2 for <wpack@ietf.org>; Wed, 25 Mar 2020 12:18:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nf8E5PNS8WMG2YqfC4fwajZ+mGT/luOacIoTPl9q4QY=; b=eC15CePUERtWCfBKAQ8beiwJ8uvOHupXHX+LH0P+QCkhtdyU3dWKAHAHzAyNawswL/ cunjWOcVQuzRSesTWEl9a0hKvUsRdu1Ev/7/CdHwZ/23ivLkGFPR/MA4qtQuSwbmUBpm WlJ21PkbXqYkHHNgae+i8xeObofVoE936IYjA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nf8E5PNS8WMG2YqfC4fwajZ+mGT/luOacIoTPl9q4QY=; b=e4SlgWjggoDkF4sU1wmxfsw9YwA7TCxO3DOx5qz1vaGFNGTnGgbzH6EZAZOIIvB+1D rzpqA3YjPsf7ma482uwCo5+H9luh9T5jC8FrhgL8MbiPMBQgaKe/wJyUHfUOG5dcR3pe hDPI8dBG8Ie/Q6QPbQj6o21X8IOqV9/C47rymi/HRPJnLVJ1uAEL4H1tBcbeIHmGvbEB b8AplMWE2M9NoDYYg1SEE58BW8Ef6WDxuJgfl9HST3Ej9/lyxN7sGsSaUGlDBkA+KjMp DPQzIVNiLEB7sJgQ9KKgFyUHpwpruExy/4FJT+yFZbkyOTfTB5m9PndAc+yG0d4d2UQj jgHg==
X-Gm-Message-State: ANhLgQ3z/nEpF37fOiFSwHP5WbVwxBtI9azsk7CIN3dAoO6wPqggpPwo ChwvRs4bDshBOGIFDcns5QqkOIMbig1h2aQ3+/fKaQ==
X-Google-Smtp-Source: ADFU+vvHtpnQo8V5oa8Q1NsSyuHORwpvVUzuyEGHsYhwDLoo5hcxJd/VrlIjLjiJpilXOelrDNahsoeAPas/skxXH0Y=
X-Received: by 2002:a37:a7cd:: with SMTP id q196mr4126255qke.447.1585163933083; Wed, 25 Mar 2020 12:18:53 -0700 (PDT)
MIME-Version: 1.0
References: <260dfc2f-8399-483e-859d-08f92821c823@www.fastmail.com> <CANjwSimZAkAC0JJBjUjZr4k0514QRqDxBReOkq_AGTeGJ2OTzQ@mail.gmail.com> <CA+9kkMAvcGNXgT=gOid=uAgzyTPsof2s2e4wPRJiz1RfLokQ=Q@mail.gmail.com>
In-Reply-To: <CA+9kkMAvcGNXgT=gOid=uAgzyTPsof2s2e4wPRJiz1RfLokQ=Q@mail.gmail.com>
From: Jeffrey Yasskin <jyasskin@chromium.org>
Date: Wed, 25 Mar 2020 12:18:41 -0700
Message-ID: <CANh-dX=Chjb0f4NNx3YZSLdjDuNgsGQOR1Pkpu+vGgi+2O8FzA@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: Devin Mullins <twifkak=40google.com@dmarc.ietf.org>, wpack@ietf.org, Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="00000000000024faef05a1b2bd75"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wpack/asPjyJzqzLtsE7fQKv6ihRBfHGo>
Subject: Re: [Wpack] Sec-Content-Origin clarification question (was Re: About content-based origins)
X-BeenThere: wpack@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Web Packaging <wpack.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wpack>, <mailto:wpack-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wpack/>
List-Post: <mailto:wpack@ietf.org>
List-Help: <mailto:wpack-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wpack>, <mailto:wpack-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 19:18:56 -0000
On Wed, Mar 25, 2020 at 10:29 AM Ted Hardie <ted.ietf@gmail.com> wrote: > Hi Devin, > > Thanks for the write-up. A clarifying question, snipped from the middle > of your response: > > On Tue, Mar 24, 2020 at 11:36 PM Devin Mullins <twifkak= > 40google.com@dmarc.ietf.org> wrote: > >> >> In terms of publisher implementation feasibility, I think the mostly >> likely implementation would be for a publisher to produce a >> Sec-Content-Origin (Sec-CO) response for the current version of the >> resource iff it matches the Sec-CO request. I suspect that keeping state of >> past versions of the resource would be infeasible, especially as it >> couldn't be done purely at the edge; it would require something like a >> region-wide cache. The value of the above stateless implementation would be >> inversely proportional to how often the resource changes (e.g. "transient >> content" [2] such as Related Articles). I think this would be a workable >> constraint for publishers wishing to publish such bundles, but felt it's >> worth noting, nonetheless. >> > > If the ecosystem supported something like signed bundles and unsigned > bundles which used content identifiers, would you see a site sending a > Sec-Content-Origin response resulting in the user agent essentially > upgrading the bundle's treatment to the same as a signed bundle's, or would > there a third state (unsigned bundled, verified NI, signed bundle)? > I don't think there should be three states. I've been trying various models and sets of terminology for the possible treatments of bundle content over the last couple months, and I'm not yet sure what model makes most sense. This week, my favorite is to use HTTP's notion of a response being "authoritative", https://tools.ietf.org/html/draft-ietf-httpbis-semantics-07#section-11.1. A response in a bundle can either be authoritative for their claimed URL or not, and they're authoritative if any of several conditions holds: 1. The bundle itself was served by the same origin. 2. The bundle was signed by the origin. 3. A live request to the claimed origin adopts the content. I think that doesn't quite match Martin's notion of aliasing origins, so I still have some thinking to do. Jeffrey
- [Wpack] About content-based origins Martin Thomson
- Re: [Wpack] About content-based origins Ted Hardie
- Re: [Wpack] About content-based origins Ben Schwartz
- Re: [Wpack] About content-based origins Martin Thomson
- Re: [Wpack] About content-based origins Devin Mullins
- [Wpack] Sec-Content-Origin clarification question… Ted Hardie
- Re: [Wpack] Sec-Content-Origin clarification ques… Devin Mullins
- Re: [Wpack] Sec-Content-Origin clarification ques… Jeffrey Yasskin
- [Wpack] On double-hashing (was: Re: About content… Devin Mullins
- Re: [Wpack] On double-hashing (was: Re: About con… Devin Mullins
- Re: [Wpack] On double-hashing (was: Re: About con… Martin Thomson
- Re: [Wpack] On double-hashing (was: Re: About con… Devin Mullins
- Re: [Wpack] On double-hashing (was: Re: About con… Martin Thomson
- Re: [Wpack] On double-hashing (was: Re: About con… Devin Mullins
- Re: [Wpack] On double-hashing (was: Re: About con… Martin Thomson
- Re: [Wpack] About content-based origins Martin Thomson
- Re: [Wpack] On double-hashing (was: Re: About con… Devin Mullins
- Re: [Wpack] About content-based origins Devin Mullins
- Re: [Wpack] About content-based origins Martin Thomson