W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2021

Re: Benjamin Kaduk's Discuss on draft-ietf-httpbis-messaging-16: (with DISCUSS and COMMENT)

From: Martin Thomson <mt@lowentropy.net>
Date: Thu, 17 Jun 2021 14:40:17 +1000
Message-Id: <2a5d126b-c5e2-4d3e-9aa4-e60face65a50@www.fastmail.com>
To: "Mark Nottingham" <mnot@mnot.net>, "Benjamin Kaduk" <kaduk@mit.edu>
Cc: "The IESG" <iesg@ietf.org>, draft-ietf-httpbis-messaging@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, "Tommy Pauly" <tpauly@apple.com>
On Thu, Jun 17, 2021, at 14:19, Mark Nottingham wrote:
> > on -semantics.  However, I am not seeing any requirement on the server 
> > to ensure that the response it generates is secured.
...
> I don't think that helps, at least in the case of HTTP/1.1. There, the 
> server is responsible for setting the correct scheme for the target URI 
> when a request is received; the security properties of the request and 
> response follow from that. Effectively, it's not under attacker control.

That only establishes that it is not an attack, which might mean that the requirement is not strictly necessary.  Adding a requirement might still be useful.

> However, I don't see any equivalent mechanism regarding :scheme in 
> http/2 bis  or http/3. Off the cuff, I tend to think that security 
> considerations about this probably belong on both of those specs.

I disagree.  This is a generic requirement: if the scheme is "https", the server needs to ensure that the response has appropriate integrity and confidentiality protections.  I think that is all that Ben's question suggests we do.
Received on Thursday, 17 June 2021 04:41:10 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 17 June 2021 04:41:20 UTC