- From: Mike West <mkwst@google.com>
- Date: Thu, 16 Aug 2018 08:27:13 +0200
- To: Willy Tarreau <w@1wt.eu>
- Cc: phk@phk.freebsd.dk, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAKXHy=fQmTtyPYff-+Q91dPU-PFPV3Do4JLgVYk=s27mrkWcKg@mail.gmail.com>
On Tue, Aug 14, 2018 at 2:18 PM Willy Tarreau <w@1wt.eu> wrote: > Hi Poul-Henning, > > On Tue, Aug 14, 2018 at 12:07:21PM +0000, Poul-Henning Kamp wrote: > > PS: 64 bits is not enough for everybody, in particularly not when > > they are randomly generated by less than perfect implementations. > > Make then 128 bit from the start. > > No, that's what we discussed at the HTTP workshop 3 years ago already, > putting too many bits will cause the inverse of what is desired, it > adds unique client identifiers making tracking even easier and at the > same time will make distributed server stickiness very hard if not > impossible. Can you point me to notes on this discussion? I'm quite curious! For clarity, I think this identifier is supposed to make it possible to tie multiple HTTP requests together into a coherent session, which (I think?) means that a unique-enough identifier is essential. > If instead we only place a few bits for routing information > (say 16 bits) and place it upfront, all the routing information is > present and there is no need to distinguish between multiple clients. > The server will then be able to figure the real client from the > decrypted traffic (potentially via another client-fed ID if needed). > Hrm. I might be misunderstanding the use of "decrypted" here, but exposing any of the identifiers bits over plaintext is a non-goal of this proposal. -mike
Received on Thursday, 16 August 2018 06:27:52 UTC