Re: Benjamin Kaduk's Discuss on draft-ietf-httpbis-semantics-16: (with DISCUSS and COMMENT) from Benjamin Kaduk on 2021-07-24 (ietf-http-wg@w3.org from July to September 2021)

From: Benjamin Kaduk <kaduk@mit.edu>
Date: Sat, 24 Jul 2021 11:46:57 -0700
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Nottingham <mnot@mnot.net>, The IESG <iesg@ietf.org>, draft-ietf-httpbis-semantics@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
Message-ID: <20210724184657.GO88594@kduck.mit.edu>

On Sat, Jul 24, 2021 at 11:35:57AM -0700, Roy T. Fielding wrote:
> > On Jun 16, 2021, at 7:50 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> > 
> > Hi Mark,
> > 
> > On Thu, Jun 17, 2021 at 11:44:58AM +1000, Mark Nottingham wrote:
> >> Hi Ben,
> >> 
> >>> On 17 Jun 2021, at 6:39 am, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote:
> >>> 
> >>> ----------------------------------------------------------------------
> >>> DISCUSS:
> >>> ----------------------------------------------------------------------
> >>> 
> >>> Thank you for this quite masterfully done mammoth undertaking!  I expect
> >>> to ballot Yes pending discussion of one point.
> >>> 
> >>> I'm looking at the following text in Section 4.3.4 relating to how to
> >>> handle certificate validation failures for https:
> >>> 
> >>>  If the certificate is not valid for the URI's origin server, a user
> >>>  agent MUST either notify the user (user agents MAY give the user an
> >>>  option to continue with the connection in any case) or terminate the
> >>>  connection with a bad certificate error.  [...]
> >>> 
> >>> Given the discussion up in §3.5 about requirements to "notify" the user
> >>> vs requiring "confirmation" from the user, I don't think that just "MUST
> >>> notify the user" is sufficient to prevent the user-agent from
> >>> continuing, since it is sufficient to just write a log entry as the
> >>> means to notify the user.  Is the intent to require confirmation of the
> >>> action to continue in the face of such an error (which, again per §3.5
> >>> could be a pre-configured confirmation)?  An intent to require
> >>> "confirmation" (vs mere "notification") seems consistent with the
> >>> subsequent text placing requirements on automated clients and would be
> >>> more consistent with my understanding of general IETF consensus for
> >>> securing protocols
> >> 
> >> Good catch. I think that 'notify the user' --> 'obtain confirmation from the user' is the right change here (possibly with a reference to 3.5).
> >> 
> >> Anyone disagree?
> > 
> > Not I -- that sounds good to me.
> > The parenthetical might want a bit of reworking (or removal?) as a
> > follow-up, though.
> > 
> > Thanks,
> > 
> > Ben
> 
> We almost forgot this one.  Done in
> 
>  https://github.com/httpwg/http-core/commit/d93cc5f1a5f72e0d45529871fdd2d20395f6dbda

Thanks!

Between that and #898 I think we've covered all my discuss-level points,
and to the extent that I was following the github activity I think we
covered my other comments as well.  Is there anything else that we're
waiting on before submitting revised I-Ds?

-Ben

Received on Saturday, 24 July 2021 18:47:26 UTC