RE: draft-nottingham-httpbis-origin-frame

On the last point, I direct your attention to https://github.com/MikeBishop/http2-client-certs/blob/additional_certs/draft-bishop-http2-additional-certs.md -- not currently submitted, but a one-off exploration of using the same frames from Martin's and my client cert draft to send additional certs on the server as well. I'd prefer to focus on the client-to-server direction first, but there is no technical reason the frames can't do the same thing in the opposite direction.

From: Patrick McManus [mailto:pmcmanus@mozilla.com]
Sent: Monday, March 14, 2016 10:40 AM
To: HTTP Working Group <ietf-http-wg@w3.org>
Subject: draft-nottingham-httpbis-origin-frame

I support draft-nottingham-httpbis-origin-frame for wg adoption, if it were to be put forward.
I think it is a little unclear on whether or not it intends to include the use case of advertising origins that are covered by the traditional notion of authoritative (i.e. certificate checks, key pin, et al) but not necessarily overlapping DNS. I guess, upon reading, that it doesn't mean to include that - but I think it should.
The DNS restriction of 7540 is really about sane routing of requests to the right server by getting an opt-in that indicates configuration. Its not really about security - DNS is not really part of the security model.
Its a reasonable bootstrap, but DNS is rather imperfect for this signal; as much as we like to imagine a single and consistent DNS space that's not the way it translates in practice. Concerns over load balancing are just one of many reasons why a strict application of 7540 might not allow for coalescing where it was actually setup and desired. This seems as likely as the 421 case that motivates the draft. Both could be addressed.

The origin frame is a place to put a strong signal that this established connection is suitable for the following set of origins no matter what the clients view of the DNS. (subject to certificate rules, of course). Indeed it would have the interesting property of removing the need to resolve DNS for the client for matching origins which is a definite additional performance win too even in cases where the DNS does overlap.
Plausibly these extension frames could get fairly big. It would seem easy enough to define them as optionally compressed (with the header compression state) in the presence of a settings ack of the extension (and a flag bit).

As an aside, it probably makes sense at this time (different document) to add (back) the extension for including more certs serialized into the connection to allow more origins to be advertised.
If there is interest, I'd be happy to work on those 3 points.

-Patrick

Received on Monday, 14 March 2016 17:59:46 UTC