Re: New version of draft-yasskin-http-origin-signed-responses-02

On Mon, Jan 29, 2018 at 8:56 AM, Jeffrey Yasskin <jyasskin@google.com>
wrote:

> I've updated my signed-exchanges draft that was previously discussed at
> https://lists.w3.org/Archives/Public/ietf-http-wg/2017OctDec/0396.html.
>
> A list of significant changes is at https://tools.ietf.org/id/
> draft-yasskin-http-origin-signed-responses-02.html#change-log.
>
> Please look at the sections titled "Open Questions" and propose some
> answers. :)
>
> What kinds of changes and/or reviews do you want before adopting this as a
> WG draft, perhaps at IETF101?
>

I think adoption here is premature. This is a pretty major architectural
deviation from the current model and it's not clear to me that its well
motivated by the use cases for which there is (even rough) consensus.


The one negative comment I've gotten is from Ekr, who wants clients to make
> a TLS connection to the true origin (or, via the CERTIFICATE frame, to
> anyone who's been issued a fake certificate) to validate the exchange. To
> attempt to address this, the draft now insists that the signature's
> "validityUrl" be same-origin with the claimed request URI, and
> https://tools.ietf.org/id/draft-yasskin-http-origin-
> signed-responses-02.html#seccons-downgrades suggests that clients can
> fetch that URL more eagerly than just when the signature expires.
>

Thanks for taking a look at this. However, I don't think it really
addresses the concern that I raised, which is not solely about talking to
the origin but about having a digital signature from the origin server
substitute for an HTTPS connection to the origin.

-Ekr


> We have an implementation in progress in Chromium: https://groups.
> google.com/a/chromium.org/d/topic/blink-dev/n7cZXSTwBTY/discussion.
>
> Thanks,
> Jeffrey
>