Re: HTTP2 Expression of Interest : Squid from James M Snell on 2012-07-18 (ietf-http-wg@w3.org from July to September 2012)

From: James M Snell <jasnell@gmail.com>
Date: Tue, 17 Jul 2012 17:16:33 -0700
To: Paul Leach <paulle@microsoft.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>, Adrien de Croy <adrien@qbik.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CABP7RbcqXN6uv2EVRyZKadSvifpU-8hKnDwn+sVUjMSWSeNQEA@mail.gmail.com>

AUTH-PUT? Eww... for far too many reasons to list. Using a new method for a
revised content-push/expect/continue type of mechanism does make sense,
however, as it avoids the type of miscommunication that could happen when
attempting to interact with downlevel servers. A single "PUSH" method, as I
described previously, with semantics defined strictly for HTTP/2.0 should
be enough to address the issue.

- James

On Tue, Jul 17, 2012 at 5:06 PM, Paul Leach <paulle@microsoft.com> wrote:

> Other people have covered most of the issues in other posts.
> Also, as RFC 2616 says:
>         Many older HTTP/1.0 and HTTP/1.1 applications do not understand
> the Expect header.
> Hence, even if HTTP/2.0 creates an ironclad spec, if the first thing the
> client does is a PUT, the client won’t know that it isn't talking to an
> HTTP/2.0 server until it is too late.
>
> An quick-and-dirty  example of an approach I had in mind that might work
> is a new AUTH-* family of methods with a request line that looks like
>                 AUTH-method Request-URI HTTP/1.1
> e.g.
>         AUTH-PUT /someresource HTTP/1.1
> which will return 401 if authentication would be required if "method" was
> invoked on the Request-URI, 200 if not, and 501 if the server doesn’t
> understand the AUTH-* methods.
>
> -----Original Message-----
> From: Julian Reschke [mailto:julian.reschke@gmx.de]
> Sent: Tuesday, July 17, 2012 10:18 AM
> To: Gabriel Montenegro
> Cc: Adrien de Croy; Poul-Henning Kamp; Amos Jeffries; ietf-http-wg@w3.org
> Subject: Re: HTTP2 Expression of Interest : Squid
>
> On 2012-07-17 19:02, Gabriel Montenegro wrote:
> >> From: Adrien de Croy [mailto:adrien@qbik.com]
> > ...
> >> I agree, and actually I'd be keen to apply this philosphy in both
> >> directions, where no significant resource is transmitted in either
> >> direction without the recipient indicating prior willingness (either
> >> by requesting it, or indicating willingness).  What I'm getting at
> >> here is large POST / PUT requests.  Currently it's a mess esp with auth
> in the mix.
> >
> > Along these lines, to help with a  POST/PUT with auth in the mix we
> mentioned an idea in our authentication EoI of a lightweight probe:
> >
> > http://lists.w3.org/Archives/Public/ietf-http-wg/2012JulSep/0239.html:
> >
> > 1.       Lightweight "probe" for POSTs and PUTs.  Initial PUTs and POSTs
> with long entity bodies will cause problems because of the extra round trip
> required by authentication. ("Initial" means when first request on a
> connection is PUT or POST). If the body is indefinite length, it may not be
> able to be recreated. This is a problem with any multi-legged
> authentication scheme in HTTP. It could be avoided if there were a
> guaranteed benign request type that could be used to force authentication
> if needed before doing the PUT or POST.
>
> We have
>
>    Expect: 100-continue
>
> for that, no?
>
> Best regards, Julian
>
>
>
>
>
>
>

Received on Wednesday, 18 July 2012 00:17:23 UTC