draft-ietf-httpbis-http2-encryption-06.txt from Kari Hurtta on 2016-06-22 (ietf-http-wg@w3.org from April to June 2016)

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Wed, 22 Jun 2016 19:36:14 +0300 (EEST)
To: HTTP working group mailing list <ietf-http-wg@w3.org>
CC: Mark Nottingham <mnot@mnot.net>, Martin Thomson <martin.thomson@gmail.com>, Mike Bishop <Michael.Bishop@microsoft.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Message-Id: <20160622163616.176E01979@welho-filter3.welho.com>

Opportunistic Security for HTTP
https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-06


https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-06#section-5.1

|   When the value of the "tls-commit" member is "true" ([RFC7159],
|   Section 3), it indicates that the origin makes such a commitment for
|   the duration of the origin object lifetime.

|   Including "tls-commit" creates a commitment to provide a secured
|   alternative service for the advertised period.  Clients that receive
|   this commitment can assume that a secured alternative service will be
|   available for the origin object lifetime.  Clients might however
|   choose to limit this time (see Section 5.3).

https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-06#section-6

|   o  The origin object has a "lifetime" member, whose value is a number
|      indicating the number of seconds which the origin object is valid
|      for (hereafter, the "origin object lifetime"), and
|
|   o  The origin object lifetime is greater than the "current_age" (as
|      per [RFC7234], Section 4.2.3).

I think that this does not say when origin's object lifitime starts.
This seems imply that object lifetime start from that point what "current_age"
calculation uses but that is not required.

Therefore I guess that remaining lifetime (and possible remaining commitment)

   = lifetime - "current_age"


But seem that remaining commintment time
    = value of "lifitime"

is also possible reading.  This does not look dangerous.


|   Including "tls-commit" creates a commitment to provide a secured
|   alternative service for the advertised period.  Clients that receive
|   this commitment can assume that a secured alternative service will be
|   available for the origin object lifetime.  Clients might however
|   choose to limit this time (see Section 5.3).

This may do create variation of

https://github.com/httpwg/http-extensions/issues/162

Client limits commintment liftime and therefore does not consider
http-opportunistic for commintment but otherwise
http-opportunistic is valid because "lifetime" member value is
smaller than "current_age".

Now this does not look very dangerous, because if http-opportunistic
is used only for commintment, then there is no "tls-ports".

/ Kari Hurtta

Received on Wednesday, 22 June 2016 16:36:47 UTC