Re: AD Evaluation of draft-ietf-httpbis-tunnel-protocol-03 from Martin Thomson on 2015-05-01 (ietf-http-wg@w3.org from April to June 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 1 May 2015 09:39:00 -0700
To: Barry Leiba <barryleiba@computer.org>
Cc: draft-ietf-httpbis-tunnel-protocol@ietf.org, draft-ietf-httpbis-tunnel-protocol.shepherd@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnWig6Ag84bF-8G0HsrhtWpd9P4TNSkxnntfi-8E5E0LFQ@mail.gmail.com>

On 1 May 2015 at 02:26, Barry Leiba <barryleiba@computer.org> wrote:
> My comments, which I'd like to discuss and sort out before requesting
> last call on this:
>
> Please remove the Editorial Note right after the Abstract.  The
> references it makes have already been removed.
>
> Then please correct the URL references [5] (now [1]) and [6] (now [2])
> later in the document.

Those are toolchain issues.  Removing the note should fix that.  If
you think that removing the note is advisable at this stage, I'll do
that.

> I find the document to be confusing for a couple of reasons:
>
> 1. This header field is not used in an ALPN negotiation, right?
> That's not made clear.  The third paragraph of the Introduction is the
> only thing that says anything about this, and it doesn't say much.  I
> think you need to be more explicit that this provides information that
> might/will/must (clarify) be used in an ALPN negotiation, but that the
> HTTP CONNECT doesn't directly do that.  (In a sense, it seems that
> calling this "ALPN" is itself the thing that causes confusion.)

Here's what I'm going to propose inserting in the following paragraph

        The ALPN header field carries an indication of client intent
only.  +++An
        ALPN identifier is used only for protocol identification. No
        negotiation takes place using this header field.+++  In TLS, the final
        choice of application protocol is made by the server from the set of
        choices presented by the client.  Other protocols could negotiate
        protocols differently.

> 2. It's not at all clear what happens when we don't use TLS.  That
> same third paragraph in the Introduction is, again, the only mention
> we have, and it's fluffy about it.  The fourth paragraph in the Intro
> doesn't shed much more light.
>
> Can you better explain how the contents of this header field are used,
> both in TLS context and without TLS?

Maybe.  Here's a section that might help:

2.3.  Usage

   For a CONNECT tunnel that consequently uses a protocol that operates
   over TLS, the value of the ALPN header field contains the same list
   of ALPN identifiers that will be sent in the TLS ClientHello message
   [RFC7301].

   Where no protocol negotiation is expected to occur, such as in
   protocols that do not use TLS, the ALPN header field contains the
   single protocol that is intended to be used.  If an alternative form
   of protocol negotiation is possible, the ALPN header field contains
   the set of protocols that might be negotiated.

   The ALPN identifier and registry are used to identify a protocol, not
   a single protocol layer or component.

All of these changes can be reviewed here:
https://github.com/httpwg/http-extensions/compare/barry?expand=1

If these make sense, I will merge that branch.

Received on Friday, 1 May 2015 16:39:31 UTC