- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 17 Jun 2021 16:18:50 +1000
- To: Martin Thomson <mt@lowentropy.net>
- Cc: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, draft-ietf-httpbis-messaging@ietf.org, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
> On 17 Jun 2021, at 2:40 pm, Martin Thomson <mt@lowentropy.net> wrote: > > On Thu, Jun 17, 2021, at 14:19, Mark Nottingham wrote: >>> on -semantics. However, I am not seeing any requirement on the server >>> to ensure that the response it generates is secured. > ... >> I don't think that helps, at least in the case of HTTP/1.1. There, the >> server is responsible for setting the correct scheme for the target URI >> when a request is received; the security properties of the request and >> response follow from that. Effectively, it's not under attacker control. > > That only establishes that it is not an attack, which might mean that the requirement is not strictly necessary. Adding a requirement might still be useful. I'm not *against* a requirement here, but... >> However, I don't see any equivalent mechanism regarding :scheme in >> http/2 bis or http/3. Off the cuff, I tend to think that security >> considerations about this probably belong on both of those specs. > > I disagree. This is a generic requirement: if the scheme is "https", the server needs to ensure that the response has appropriate integrity and confidentiality protections. I think that is all that Ben's question suggests we do. The point is that the core construct in Semantics is the target URI, and each protocol version should clearly define how to derive one for a given request on the wire, warning of the pitfalls that one might encounter in doing so -- in this case, assuming that :scheme is truthful. I'll open an issue on h2bis and we can move the discussion there. Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Thursday, 17 June 2021 06:19:30 UTC