Re: Benjamin Kaduk's Discuss on draft-ietf-httpbis-semantics-16: (with DISCUSS and COMMENT) from Roy T. Fielding on 2021-07-24 (ietf-http-wg@w3.org from July to September 2021)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Sat, 24 Jul 2021 11:35:57 -0700
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Mark Nottingham <mnot@mnot.net>, The IESG <iesg@ietf.org>, draft-ietf-httpbis-semantics@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
Message-Id: <B46D7A9A-83D8-49B6-91BC-2450CE482717@gbiv.com>

> On Jun 16, 2021, at 7:50 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> Hi Mark,
> 
> On Thu, Jun 17, 2021 at 11:44:58AM +1000, Mark Nottingham wrote:
>> Hi Ben,
>> 
>>> On 17 Jun 2021, at 6:39 am, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote:
>>> 
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>> 
>>> Thank you for this quite masterfully done mammoth undertaking!  I expect
>>> to ballot Yes pending discussion of one point.
>>> 
>>> I'm looking at the following text in Section 4.3.4 relating to how to
>>> handle certificate validation failures for https:
>>> 
>>>  If the certificate is not valid for the URI's origin server, a user
>>>  agent MUST either notify the user (user agents MAY give the user an
>>>  option to continue with the connection in any case) or terminate the
>>>  connection with a bad certificate error.  [...]
>>> 
>>> Given the discussion up in §3.5 about requirements to "notify" the user
>>> vs requiring "confirmation" from the user, I don't think that just "MUST
>>> notify the user" is sufficient to prevent the user-agent from
>>> continuing, since it is sufficient to just write a log entry as the
>>> means to notify the user.  Is the intent to require confirmation of the
>>> action to continue in the face of such an error (which, again per §3.5
>>> could be a pre-configured confirmation)?  An intent to require
>>> "confirmation" (vs mere "notification") seems consistent with the
>>> subsequent text placing requirements on automated clients and would be
>>> more consistent with my understanding of general IETF consensus for
>>> securing protocols
>> 
>> Good catch. I think that 'notify the user' --> 'obtain confirmation from the user' is the right change here (possibly with a reference to 3.5).
>> 
>> Anyone disagree?
> 
> Not I -- that sounds good to me.
> The parenthetical might want a bit of reworking (or removal?) as a
> follow-up, though.
> 
> Thanks,
> 
> Ben

We almost forgot this one.  Done in

 https://github.com/httpwg/http-core/commit/d93cc5f1a5f72e0d45529871fdd2d20395f6dbda

....Roy

Received on Saturday, 24 July 2021 18:36:19 UTC