Re: non authenticated alternate services (was Re: AD review of draft-ietf-httpbis-alt-svc-10) from Mark Nottingham on 2016-01-17 (ietf-http-wg@w3.org from January to March 2016)

From: Mark Nottingham <mnot@mnot.net>
Date: Sun, 17 Jan 2016 18:07:01 +1100
To: Patrick McManus <pmcmanus@mozilla.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Mike Bishop <Michael.Bishop@microsoft.com>, Barry Leiba <barryleiba@computer.org>, "Julian F. Reschke" <julian.reschke@gmx.de>, "draft-ietf-httpbis-alt-svc@ietf.org" <draft-ietf-httpbis-alt-svc@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, hurtta-ietf@elmme-mailer.org
Message-Id: <CCF4F3B8-8593-4E1E-821D-41D9DF356CAB@mnot.net>

Hey Patrick,

Thanks for that.

I took a rough stab at this:
  https://github.com/httpwg/http-extensions/commit/3872a0d0fd61

Basically, it moves the exception for same-host authentication out of alt-svc into opp-sec, so that we can refine it there, getting this discussion off of the critical path for alt-svc.

Thoughts?


> On 17 Jan 2016, at 7:04 am, Patrick McManus <pmcmanus@mozilla.com> wrote:
> 
> Hi All, I apologize for letting this discussion go to my backlog. As Barry suggested, some of us need longer than others to shake off the new year's fog.
> 
> tl;dr; I've come to agree that an additional out of band check with an origin advertising an an-authenticated alt-service has value and we should modify the document to define that. It certainly has more value than either the port scheme or just allowing same host ports. Maybe something like the .well-known approach Kari suggests would be fine. Its certainly slow, but the whole thing migration is asynchronous anyhow so that's not a deal killer.
> 
> I'm actually glad the port number nonsense got called out. It didn't have real value and its the kind of window dressing only a committee could love (I say lovingly, as member of said committee.). Although moot now, I disagree that it was doing any harm by giving people a sense of self confidence - in general I think that kind of argument is too clever by half, people are generally paying no attention or less often paying enough attention to think it through.
> 
> I do have a concern that when reviewing the registry of .well-known https://www.iana.org/assignments/well-known-uris/well-known-uris.xml it isn't exactly overrun with well-used mechanisms. It seems to me .well-known is often offered up in the solutions space but not implemented as often.
> 
> I'm happy to help draft text if no one else wants to. Perhaps Mark, as author of rfc 5785, might want to suggest a structure. (do we need a separate document?) I think it can probably be a white list of advertisements on separate lines and also allowing *, but that's just an opening bid.
> 
> onward,
> -Patrick
> 
>  

--
Mark Nottingham   https://www.mnot.net/

Received on Sunday, 17 January 2016 07:07:36 UTC