Re: I-D Action: draft-ietf-httpbis-optimistic-upgrade-04.txt from David Schinazi on 2025-06-11 (ietf-http-wg@w3.org from April to June 2025)

From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Wed, 11 Jun 2025 13:22:15 -0700
To: Ben Schwartz <bemasc@meta.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAPDSy+4ZxAFX+Z1wE05Zg2QiXh93D+GPe=_yP7yHJbHJwLHCSQ@mail.gmail.com>

Thanks Ben. I can confirm that these changes fully address all my WGLC
comments.
David

On Wed, Jun 11, 2025 at 12:59 PM Ben Schwartz <bemasc@meta.com> wrote:

> Hi HTTPBIS,
>
> This revision incorporates the feedback received during WGLC.  Changes
> include:
>
> * Direct explanation of why HTTP/1.1 is uniquely vulnerable.
> * Expanded new text banning optimistic upgrade for RFC 9298.
> * Removed adjustment to the failure case recommendations in RFC 9298
> * Clarified description of rules against optimistic upgrade in "connect-ip"
> * Noted the value of using an empty body with GET for simple upgrade
> tokens and removed speculative justification.
> * Populated Acknowledgements section
>
> --Ben
> ------------------------------
> *From:* internet-drafts@ietf.org <internet-drafts@ietf.org>
> *Sent:* Wednesday, June 11, 2025 3:42 PM
> *To:* i-d-announce@ietf.org <i-d-announce@ietf.org>
> *Cc:* ietf-http-wg@w3.org <ietf-http-wg@w3.org>
> *Subject:* I-D Action: draft-ietf-httpbis-optimistic-upgrade-04.txt
>
>
>
> Internet-Draft draft-ietf-httpbis-optimistic-upgrade-04.txt is now
> available.
> It is a work item of the HTTP (HTTPBIS) WG of the IETF.
>
>    Title:   Security Considerations for Optimistic Protocol Transitions in
> HTTP/1.1
>    Author:  Benjamin M. Schwartz
>    Name:    draft-ietf-httpbis-optimistic-upgrade-04.txt
>    Pages:   10
>    Dates:   2025-06-11
>
> Abstract:
>
>    In HTTP/1.1, the client can request a change to a new protocol on the
>    existing connection.  This document discusses the security
>    considerations that apply to data sent by the client before this
>    request is confirmed, and updates RFC 9298 to avoid related security
>    issues.
>
> The IETF datatracker status page for this Internet-Draft is:
>
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-httpbis-optimistic-upgrade/__;!!Bt8RZUm9aw!4uyqPwlO4j0vGPCsnDP_gMuGXrCkXLX2AVvGPfygH08F4MpFhGUM2fuA5ztVx8ux1CmbqzYeseLG4bhDp8xhjw$
>
> There is also an HTML version available at:
>
> https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf-httpbis-optimistic-upgrade-04.html__;!!Bt8RZUm9aw!4uyqPwlO4j0vGPCsnDP_gMuGXrCkXLX2AVvGPfygH08F4MpFhGUM2fuA5ztVx8ux1CmbqzYeseLG4bjlF6624g$
>
> A diff from the previous version is available at:
>
> https://urldefense.com/v3/__https://author-tools.ietf.org/iddiff?url2=draft-ietf-httpbis-optimistic-upgrade-04__;!!Bt8RZUm9aw!4uyqPwlO4j0vGPCsnDP_gMuGXrCkXLX2AVvGPfygH08F4MpFhGUM2fuA5ztVx8ux1CmbqzYeseLG4bjPFERF7g$
>
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
>
>
>
>

Received on Wednesday, 11 June 2025 20:22:32 UTC