- From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
- Date: Tue, 24 Aug 2021 19:51:38 -0700
- To: "The IESG" <iesg@ietf.org>
- Cc: draft-ietf-httpbis-bcp56bis@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, Tommy Pauly <tpauly@apple.com>, tpauly@apple.com
Benjamin Kaduk has entered the following ballot position for draft-ietf-httpbis-bcp56bis-14: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-httpbis-bcp56bis/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks to Tommy for the shepherd writeup, which was very nice except that it only answered one of the three parts of question (1). Thanks once again to the editors and WG for another very well-written document! Thanks as well to Joe Salowey for the secdir review, and to the authors for the discussion and updates in response to it. I made a github pull request with a few editorial suggestions: https://github.com/httpwg/http-extensions/pull/1616 Section 3.2 As explained in [RFC8820], such "squatting" on a part of the URL Are there toolchain issues that prevent BCP190 from being the reference here or is there some other reason to prefer the RFC form of the reference? Section 4.3 It seems somewhat surprising that the things we say about client behavior are basically unrelated to the areas where we ask for server behaviors to be specified. Is there anything useful to say about, e.g., how the client uses media types, handles header fields, and processes link relationships (even if [FETCH] would also say such things)? Section 4.4.2 Applications that use HTTP will typically employ the "http" and/or "https" URI schemes. "https" is RECOMMENDED to provide authentication, integrity and confidentiality, as well as mitigate pervasive monitoring attacks [RFC7258]. It seems clear to me that use of "https" is both IETF current practice and a general best practice. I see the shepherd writeup's mention of the extensive WG discussions on this guidance (regarding "RECOMMENDED" vs "MUST"), and posit that the lack of a clear definition of what BCP 14 keywords mean in a BCP-status document (and perhaps some lack of clarity as to what the scope of applicability of this document is) underlie much of the controversy. (We saw a similar controversy in what became RFC 8996 (part of BCP 195) and its various "MUST NOT"s.) In light of the extensive WG discussion that already occurred, I do not see reason to ballot DISCUSS on this topic, but do ask if avoiding BCP 14 keywords entirely was considered, along the lines of: % The use of TLS, i.e., the "https" URI scheme, is the best current % practice, since it provides (source) authentication, integrity and % confidentiality, as well as mitigation against pervasive monitoring % attacks [RFC7258]. * The resources identified by the new scheme will still be available using "http" and/or "https" URLs. [...] Is this availability guaranteed, or just a common risk ("likely")? I could imagine a custom HTTP implementation that only allows requests using a single (custom) scheme, though admittedly mostly just as a thought experiment and not something practical. Section 4.6.1 An application using HTTP should specify if any request header fields that it defines need to be modified or removed upon a redirect; however, this behaviour cannot be relied upon, since a generic client (like a browser) will be unaware of such requirements. Should we encourage the application designer to use "fail safe" semantics for such request header fields in light of the non-guarantee that application-specific requirements will be heeded? (Possibly in a later section more focused on header fields or application state rather than here.) Section 4.9.1 It is not necessary to add the public response directive ([I-D.ietf-httpbis-cache], Section 5.2.2.9) to cache most responses; it is only necessary when it's desirable to store an authenticated response. This seems to be a slightly different definition than the referenced document uses. I am not entirely sure whether the divergence is actually problematic, though. Section 4.12 Applications can use HTTP authentication Section 11 of [I-D.ietf-httpbis-semantics] to identify clients. As per [RFC7617], the Basic authentication scheme is not suitable for protecting sensitive or valuable information unless the channel is secure (e.g., using the "HTTPS" URI scheme). Likewise, [RFC7616] requires the Digest authentication scheme to be used over a secure channel. I see that this text has already been subject to quite a bit of discussion, but RFC 7616 doesn't "require" this; it says that "it SHOULD be over a secure channel like HTTPS". If pressed to suggest an alternate phrasing, I would offer "[RFC7616] expects the Digest authentication scheme to be used over a secure channel", but I am not specifically promoting that phrasing. With HTTPS, clients might also be authenticated using certificates [RFC5246]. When used, it is important to carefully specify the scoping and use of authentication; if the application exposes sensitive data or capabilities (e.g., by acting as an ambient authority), exploits are possible. Mitigations include using a request-specific token to assure the intent of the client. To mention client certificate authentication and scoping of authentication in such close proximity but not discuss the well-known pitfalls of TLS client certificate authentication feels like it's leaving a big gap open. I think we want to add something roughly like: % TLS client certificate authentication is intrinsically scoped to the % underlying transport connection. On such an authenticated connection, % a client has no way of knowing whether the authenticated status was % used in preparing the response (though "Vary: *" can provide a partial % indication), and the only way to obtain a specifically unauthenticated % response is to open a new connection. Applications should consider % whether or not client certificate authentication is appropriate for % their needs and expected use patterns. TLS Exported authenticators % [I-D.ietf-tls-exported-authenticator] are an attempt to remove some of % these limitations while retaining the convenience and other advantages % of client certificate authentication. (The last sentence is optional, of course.) Section 6 Do we want to incorporate by reference the security considerations of any other documents? -semantics, -cache, and RFC 8288, perhaps? ("Application protocols using HTTP are subject to the security considerations of HTTP itself and any extensions used; [I-D.ietf-httpbis-semantics], [I-D.ietf-httpbis-cache], and [RFC8288] are some often-relevant references.") If not, there might be a few things worth mentioning as standalone, e.g., risk of infinite redirect loops and the scope of issues possible when Vary: isn't used. The potential for skew between HTTP caching and (distinct) application protocol lifetime values discussed in ยง4.9.3 is a likely source of security issues, so that section might merit a mention in this listing. Section 7.1 It's not entirely clear to me that RFC 7301 needs to be listed as normative; we mention ALPN only in the context of (paraphrasing) "applications using HTTP ALPN values are subject to these requirements". Section 7.2 We reference httpbis-cache in a number of places, and the sentiment in several seems to be along the lines of "applications really ought to consider the potential impact of caches, since caches might appear in the request path for reasons outside the control of the application". Classifying it as a normative reference seems like it would be defensible (though leaving it as informative is also defensible). NITS Section 1 This document contains best current practices for the specification of such applications. [...] Earlier we've talked about "applications other than Web browsing", "protocols [that] are often ad hoc", "applications [with] multiple, separate implementations", and "application protocol[s] using HTTP". When we say "such applications" do we have a specific referent in mind? Section 4.5.1 Therefore, applications using HTTP that feel a need to allow POST queries ought consider allowing both methods. All the "ought"s in -semantics made sense, but seeing as this document is a BCP, maybe it's okay to give a more definitive recommendation? Section 4.9.3 One way to address this is to explicitly specify that all responses be fresh upon use. I think I'm failing to parse this sentence properly, and it's unclear if s/be/are/ is the right fix. (In particular, what does it mean to "use" a response?) Section 4.16 In HTTP, backwards-incompatible changes are possible using a number of mechanisms: "A number of" implies uncertainty about exactly how many, which would typically be accompanied by "including"; if the list is actually exhaustive, using the actual number ("three") might be preferred. Section 6 We refer to several other sections as being security-relevant, and the list is almost (but not) sorted. Should it be sorted?
Received on Wednesday, 25 August 2021 02:51:53 UTC