Re: Updates to "optimistic upgrade" from Ben Schwartz on 2024-07-26 (ietf-http-wg@w3.org from July to September 2024)

From: Ben Schwartz <bemasc@meta.com>
Date: Fri, 26 Jul 2024 05:01:45 +0000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <SA1PR15MB4370DFB655A02607FABB39D4B3B42@SA1PR15MB4370.namprd15.prod.outlook.com>

Thanks all for the feedback on this draft.  I've updated the PRs to reflect the input I received today.  Please review them here:

https://github.com/httpwg/http-extensions/pulls?q=is%3Apr+is%3Aopen+label%3Aoptimistic-upgrade

Some noteworthy changes:

* I have closed #2818, which would have marked HTTP/*.* as obsolete.  Instead, #2845 avoids mentioning HTTP/*.* in this draft at all.
* #2828 no longer claims that syntactic incompatibility is sufficient to make optimistic upgrade "safe".
* Normative requirements on future specification authors have been removed in #2827.

--Ben
________________________________
From: Ben Schwartz
Sent: Thursday, July 11, 2024 11:02 AM
To: ietf-http-wg@w3.org <ietf-http-wg@w3.org>
Subject: Updates to "optimistic upgrade"

The draft "Security Considerations for Optimistic Use of HTTP Upgrade" was recently adopted by the working group.  I've published a clean rename of the draft, and written Pull Requests for three changes based on feedback from the working group before and during the adoption call [1].

#2821 - Extend the draft to cover HTTP CONNECT

As Mike Bishop pointed out to me, most of the concerns in this draft, which was originally motivated by "connect-tcp", also apply to regular CONNECT in HTTP/1.1.  This change would expand the draft to cover Upgrade and CONNECT, changing the title of the draft to "Security Considerations for Optimistic Protocol Transitions in HTTP/1.1".

#2818 - Deprecate the "HTTP" and "TLS" upgrade tokens

From discussion on the list, it seems like we have consensus that "Upgrade: HTTP/2.0" is not a standards-compliant header field.  This PR amends the IANA registry [2] to make that clearer.  It also deprecates "Upgrade: TLS/1.2" and marks the corresponding RFC as Historic.

#2827 - Recommend GET for future Upgrade Tokens

This PR depends on #2818.  With those deprecations in place, all remaining Upgrade Tokens use the GET method.  This PR makes that a formal recommendation (SHOULD).

If these changes are of interest, please review them on Github or in this thread.  I'll also be discussing them in the Wednesday session of HTTPBIS at IETF 120.

--Ben Schwartz

[1] https://github.com/httpwg/http-extensions/pulls?q=is%3Apr+is%3Aopen+label%3Aoptimistic-upgrade
[2] https://www.iana.org/assignments/http-upgrade-tokens/http-upgrade-tokens.xhtml#:~:text=any%20DIGIT.DIGIT%20(-,e.g.%2C%20%222.0%22,-)

Received on Friday, 26 July 2024 05:01:53 UTC