W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2021

Re: BCP56bis - remaining work

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 26 Apr 2021 17:46:12 +1000
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <2D203266-CEFB-4FC7-92E4-D8AA21E234F4@mnot.net>
To: Willy Tarreau <w@1wt.eu>
Hi Willy,

> On 21 Apr 2021, at 1:10 pm, Willy Tarreau <w@1wt.eu> wrote:
> 
> Hi Mark,
> 
> On Wed, Apr 21, 2021 at 12:03:01PM +1000, Mark Nottingham wrote:
>> There hasn't been much feedback on the second suggestion, but the first
>> resulted in a few people objecting that it was too general. However, this BCP
>> is for IETF standards-based HTTP APIs, not all HTTP APIs or all uses of HTTP.
>> Given that the IETF is focused on internetworking, the examples of localhost
>> APIs don't seem very applicable here.
> 
> But even with local networks or remote networks, I'm afraid that enforcing
> a MUST where we *know* that plenty of accesses will remain forever in HTTP
> for various reasons will simply result in interoperability issues again due
> to anyone doing what they *think* is right given that what they deal with
> already does not match the rules anymore.

Again, this is *just* about IETF specifications that define HTTP APIs that are for deployment on the open internet.


>> Therefore, I think the best path forward is to change the RECOMMENDED to a
>> MUST, rewording the language about client authentication to account for that.
>> If you don't agree, please respond and state why, taking the above into
>> account.
> 
> Deciding for users is *always* worse than guiding them. For example if you
> keep a RECOMMENDED for https and a MUST for the authentication stuff, this
> maintains a certain consistency which is easy to enforce. If you turn https
> to a must, all those who have good reasons for continuing to use HTTP will
> not even make a special case of the auth part.
> 
> I think a much better approach would be to make the intent clear:
> 
>  HTTP implementations must take extreme care of the confidentiality and
>  integrity of transported information, especially when it may be used to
>  affect a user's privacy. As such, any information about the users'
>  identification or browsing habits MUST be encrypted either by the
>  application or at the transport level, and any information returned to
>  the user MUST be authenticated, either by the application or at the
>  transport layer. Therefore, the "https" scheme is RECOMMENDED for all
>  uses involving a user.
> 
> As such this doesn't prevent applications from continuing to communicate
> over HTTP, or even OCSP from being used, and may even allow users to use
> HTTP for some services like time retrieval at boot or package updates on
> their operating systems when these packages are already signed.
> 
> Any opinion ?
> 
> Willy
> 

--
Mark Nottingham   https://www.mnot.net/
Received on Monday, 26 April 2021 07:46:36 UTC

This archive was generated by hypermail 2.4.0 : Monday, 26 April 2021 07:46:37 UTC