Re: I-D Action: draft-ietf-httpbis-optimistic-upgrade-04.txt from Ben Schwartz on 2025-06-11 (ietf-http-wg@w3.org from April to June 2025)

From: Ben Schwartz <bemasc@meta.com>
Date: Wed, 11 Jun 2025 19:56:00 +0000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <DM6PR15MB2361FEA4FF4E580051FD82F9B375A@DM6PR15MB2361.namprd15.prod.outlook.com>

Hi HTTPBIS,

This revision incorporates the feedback received during WGLC.  Changes include:

* Direct explanation of why HTTP/1.1 is uniquely vulnerable.
* Expanded new text banning optimistic upgrade for RFC 9298.
* Removed adjustment to the failure case recommendations in RFC 9298
* Clarified description of rules against optimistic upgrade in "connect-ip"
* Noted the value of using an empty body with GET for simple upgrade tokens and removed speculative justification.
* Populated Acknowledgements section

--Ben
________________________________
From: internet-drafts@ietf.org <internet-drafts@ietf.org>
Sent: Wednesday, June 11, 2025 3:42 PM
To: i-d-announce@ietf.org <i-d-announce@ietf.org>
Cc: ietf-http-wg@w3.org <ietf-http-wg@w3.org>
Subject: I-D Action: draft-ietf-httpbis-optimistic-upgrade-04.txt

Internet-Draft draft-ietf-httpbis-optimistic-upgrade-04.txt is now available.
It is a work item of the HTTP (HTTPBIS) WG of the IETF.

   Title:   Security Considerations for Optimistic Protocol Transitions in HTTP/1.1
   Author:  Benjamin M. Schwartz
   Name:    draft-ietf-httpbis-optimistic-upgrade-04.txt
   Pages:   10
   Dates:   2025-06-11

Abstract:

   In HTTP/1.1, the client can request a change to a new protocol on the
   existing connection.  This document discusses the security
   considerations that apply to data sent by the client before this
   request is confirmed, and updates RFC 9298 to avoid related security
   issues.

The IETF datatracker status page for this Internet-Draft is:
https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-httpbis-optimistic-upgrade/__;!!Bt8RZUm9aw!4uyqPwlO4j0vGPCsnDP_gMuGXrCkXLX2AVvGPfygH08F4MpFhGUM2fuA5ztVx8ux1CmbqzYeseLG4bhDp8xhjw$

There is also an HTML version available at:
https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf-httpbis-optimistic-upgrade-04.html__;!!Bt8RZUm9aw!4uyqPwlO4j0vGPCsnDP_gMuGXrCkXLX2AVvGPfygH08F4MpFhGUM2fuA5ztVx8ux1CmbqzYeseLG4bjlF6624g$

A diff from the previous version is available at:
https://urldefense.com/v3/__https://author-tools.ietf.org/iddiff?url2=draft-ietf-httpbis-optimistic-upgrade-04__;!!Bt8RZUm9aw!4uyqPwlO4j0vGPCsnDP_gMuGXrCkXLX2AVvGPfygH08F4MpFhGUM2fuA5ztVx8ux1CmbqzYeseLG4bjPFERF7g$

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts

Received on Wednesday, 11 June 2025 19:56:09 UTC