Re: IETF HTTPBIS I-D submission - please review draft-sandowicz-httpbis-httpa2

I agree with everything Mark says here, but I want to add one bit of colour: The disposition of the HTTP working group toward this work is likely to be seriously considered in any "dispatch" process (I suggest SECDISPATCH).  So requesting feedback here is a good way to improve the chances of a positive outcome there.  I would say the same - though to a lesser extent perhaps - for the RATS WG and other groups that are working in the general area of attestations and "trusted" computing.

As I've noted elsewhere, from my perspective, I am not able to provide any truly substantial feedback on this work until it gains greater clarity.  I would recommend finding time to talk about use cases, problem statements, and threat models a little more before revising the draft and then seeking to engage with the "dispatch" process.

Cheers,
Martin

On Wed, Oct 19, 2022, at 09:52, Mark Nottingham wrote:
> Hello Krzysztof,
>
> I can see your draft on the data tracker now.
>
> For the HTTP WG to adopt a draft, we need to see that there's both 
> interest in implementing it and consensus to adopt it. The best way to 
> do that is to circulate the draft on the mailing list (which you've now 
> done) -- if there's interest, people will express it there.
>
> We also need to assure that it's in-scope for the group; sometimes, 
> it's better to take work into a separate group, even though it's 
> HTTP-related. One way to do that is to take it to the DISPATCH and/or 
> SECDISPATCH Working Group, so that the broader community can have a 
> discussion about what an appropriate path forward is. 
>
> Note that this is not a simple 'reject/approve' decision -- building 
> consensus to do work usually takes considerable time and effort. If 
> work starts (either in an existing group or a new one), the document 
> will at *most* be a starting point for work, and there will need to be 
> consensus demonstrated on its contents and all their details. 
>
> Importantly, change control for the document (if adopted as a starting 
> point for work) will transfer from the authors to the IETF. That means 
> that as authors, you will have no greater rights to determine what it 
> contains than anyone else in the process.
>
> As I said before, my recommendation would be to take this document to 
> DISPATCH and/or SECDISPATCH, to present it to the broader community. 
> This is not a review process; it's presenting your draft for discussion 
> and a recommendation as to a path forward. That recommendation might be 
> to send it for consideration by an existing WG (like HTTP), or for a 
> new WG to be formed, or for no action. In the latter case, you're 
> welcome to continue working on the draft to try to address feedback you 
> receive.
>
> Hope this helps,
>
>
>> On 19 Oct 2022, at 2:25 am, Sandowicz, Krzysztof <krzysztof.sandowicz@intel.com> wrote:
>> 
>> Hi,
>> Please let me know what is the next step in IETF process regarding Internet-Draft (draft-sandowicz-httpbis-httpa2) submitted by me?
>> Please confirm that you can find my draft on the datatracker?
>> 
>> I assumed that submitted draft is decided to be either rejected or approved by any WG and then its name is changed
>> from
>>  draft-(author)-(group)-(subject)-(version) (i.e. draft-sandowicz-httpbis-httpa2-00)
>> into
>>  draft-(source)-(group)-(subject)-(version) (i.e. draft-ietf-httpbis-httpa2-00)
>> 
>> and then I should expect feedback from WG which adopt/approve the submission.
>> 
>> Regards,
>> Krzysztof
>> 
>> -----Original Message-----
>> From: Sandowicz, Krzysztof 
>> Sent: Thursday, October 13, 2022 12:25 PM
>> To: Mark Nottingham <mnot@mnot.net>
>> Cc: francesca.palombini@ericsson.com; tpauly@apple.com; Murray S. Kucherawy <superuser@gmail.com>
>> Subject: RE: IETF HTTPBIS I-D submission - please review draft-sandowicz-httpbis-httpa2
>> 
>> Mark,
>> Thank you for quick response.
>> I didn't receive any email to confirm posting before. 
>> I could find it on: https://datatracker.ietf.org/submit/status/ using our I-D name: draft-sandowicz-httpbis-httpa2 I just updated submitter information in our submission on datatracker.ietf.org, so submission status has chaned to 'Posted'. Please try again.
>> 
>> Yes, we prepared HTTPA/2 which is newer version of our https://arxiv.org/abs/2110.07954
>> 
>> I thought that it is internal IETF decision which WG would review I-D. That's why I submitted it to HTTPBIS, but I will also send email to DISPATCH and SECDISPATCH WG.
>> Thank you for feedback about a name 'HTTPA'. I let authors to change it in newer version.
>> 
>> Regards,
>> Krzysztof
>> 
>> -----Original Message-----
>> From: Mark Nottingham <mnot@mnot.net>
>> Sent: Thursday, October 13, 2022 1:38 AM
>> To: Sandowicz, Krzysztof <krzysztof.sandowicz@intel.com>
>> Cc: francesca.palombini@ericsson.com; tpauly@apple.com; Murray S. Kucherawy <superuser@gmail.com>
>> Subject: Re: IETF HTTPBIS I-D submission - please review draft-sandowicz-httpbis-httpa2
>> 
>> [ CCing in Murray as AD, since Francesca is on leave ]
>> 
>> Hello Krzysztof,
>> 
>> I can't find your draft on the datatracker -- did you follow the link in the email you received to confirm posting?
>> 
>> Assuming that your proposal is along the lines of this paper: <https://arxiv.org/abs/2110.07954>, there are a few things to consider. 
>> 
>> The HTTP Working Group is definitely the body who would assure that the proposed extension uses HTTP in an appropriate manner. 
>> 
>> Sometimes, extensions like this are standardised directly by the HTTP Working Group, because they are sufficiently generic that they're likely to be broadly applicable -- for example, the in-process Signatures draft <https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html>.
>> 
>> In other cases, there's a specific community focused on the applicable use cases, and the work is carried out in a separate Working Group that liaises with the HTTP Working Group. For example, the MASQUE Working Group <https://ietf-wg-masque.github.io> is defining extensions to HTTP for very specific uses.
>> 
>> There are a number of factors that go into determining which approach is appropriate, but before that it's necessary to determine whether the IETF believes the work should commence. So, I'd recommend taking your work to one or both of the DISPATCH and SECDISPATCH Working Groups, who are set up to answer these questions (in the ART and SEC areas, respectively). See:
>>  https://datatracker.ietf.org/wg/dispatch/about/
>>  https://datatracker.ietf.org/wg/secdispatch/about/
>> 
>> Specifically, I think your next step is to send an e-mail to one or both of those mailing lists asking for time at IETF115. If you ask for time at both, it's polite to tell them that.
>> 
>> Separately, you should know that there's likely to be a strong negative reaction to a name like "HTTPA." There's a widely-held belief that giving HTTPS a separate name to denote a security property was a mistake that we would undo if we could. Calling this something like "Attestation Extensions for HTTP" is likely to get a better reaction.
>> 
>> Cheers,
>> 
>> 
>>> On 12 Oct 2022, at 8:24 pm, Sandowicz, Krzysztof <krzysztof.sandowicz@intel.com> wrote:
>>> 
>>> Hi,
>>> In the name of group of people working on an extension to HTTP protocol with attestation called: “The Hypertext Transfer Protocol Attestable (HTTPA)” I submitted our Internet-Draft to IETF.
>>> Please find it on: https://datatracker.ietf.org/submit/status/ using 
>>> our I-D name: draft-sandowicz-httpbis-httpa2
>>> 
>>> I receive information from IETF support that I should ask you (HTTPBIS WG) to ask for review of the document in order to progress it to getting adopted by a working group.
>>> Please let me know what do you need from me to proceed with IETF process to publish RFC.
>>> 
>>> Regards,
>>> Krzysztof Sandowicz
>>> 
>>> ======================================================================
>>> ======= Cloud Software Architect, Intel Product Assurance & Security / 
>>> Security Software and Services Direct (Poland): +48 (58) 766 1619,
>>> iNET: 8-348-1619
>>> ======================================================================
>>> =======
>>> 
>>> 
>>> Intel Technology Poland sp. z o.o.
>>> ul. Słowackiego 173 | 80-298 Gdańsk | Sąd Rejonowy Gdańsk Północ | VII Wydział Gospodarczy Krajowego Rejestru Sądowego - KRS 101882 | NIP 957-07-52-316 | Kapitał zakładowy 200.000 PLN.
>>> Spółka oświadcza, że posiada status dużego przedsiębiorcy w rozumieniu ustawy z dnia 8 marca 2013 r. o przeciwdziałaniu nadmiernym opóźnieniom w transakcjach handlowych.
>>> 
>>> Ta wiadomość wraz z załącznikami jest przeznaczona dla określonego adresata i może zawierać informacje poufne. W razie przypadkowego otrzymania tej wiadomości, prosimy o powiadomienie nadawcy oraz trwałe jej usunięcie; jakiekolwiek przeglądanie lub rozpowszechnianie jest zabronione.
>>> This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by others is strictly prohibited.
>>> 
>> 
>> --
>> Mark Nottingham   https://www.mnot.net/
>> 
>> ---------------------------------------------------------------------
>> Intel Technology Poland sp. z o.o.
>> ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN.
>> Spolka oswiadcza, ze posiada status duzego przedsiebiorcy w rozumieniu ustawy z dnia 8 marca 2013 r. o przeciwdzialaniu nadmiernym opoznieniom w transakcjach handlowych.
>> 
>> Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione.
>> This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by others is strictly prohibited.
>
> --
> Mark Nottingham   https://www.mnot.net/

Received on Wednesday, 19 October 2022 00:21:25 UTC