New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Roman Danyliw COMMENT draft-ietf-httpbis-semantics-16 #854
Comments
Yes. But this is the definition of "safe methods", not a discussion of all potential attack vectors of a server. |
Understood. Q: do we attempt an exhaustive list here, or just mention examples? If we did mention DoT and DoH, woulkd that be exhaustive? |
By nature I don't think we can be exhaustive here. If anything, I'd replace DNSSEC with DoH, as it's getting more adoption (both in implementation and deployment) on the web. |
We already say that in several places, and I don't think repeating ourselves helps the document become more readable or useful. |
There are technical interop requirements for the protocol and social requirements to keep people safe on the Internet (or the Web safe from the people abusing it). This is just a short-hand version of old IETF lore, and probably isn't worth repeating in the spec. |
Roman Danyliw COMMENT draft-ietf-httpbis-semantics-16 (for #854)
Roman Danyliw has entered the following ballot position for
draft-ietf-httpbis-semantics-16: Yes
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-httpbis-semantics/
COMMENT:
implementations …”, what’s a “social” requirement?
Editors: removed in #903 (#854 (comment))
It would be worth reiterating that it might be risky for extensions to treat
http + https origins on the same host uniformly.
Editors: added text in #903
registered within the …” HTTP field name registry, I have a question about the
strength of the recommendation based on the use of the verb “ought” – is that
RECOMMENDED? SHOULD? Section 8.3.1, 8.3.2, 8.4.1, 8.8.3, etc use a similar
construct.
Editors: we intentionally do not to use normative language for registration requirements.
:authority be included?
Editors: it's syntactically possible in H2 and H3. It's up to those specs to describe what that would mean.
disk, there could be significant CPU load if the target is a script.
Editors: #854 (comment)
user's local name resolution service [is used] to determine where it can
find authoritative responses. This means that any attack on a user's network
host table, cached names, or name resolution libraries becomes an avenue for
attack on establishing authority for "http" URIs.” The subsequent text
highlights DNSSEC as improving authenticity. It seems that the integrity
provided by DoT or DoH would also be relevant.
Editors: added text in #903 (see also #854 (comment))
No disagreement with the sentiment, but I would recommend not framing it in
term of the trustworthiness of the people (i.e., intermediaries with poor
security or privacy practices is not necessarily due to the lack of
trustworthiness of the engineers operating the service; perhaps these services
are also run in of jurisdictions where confidence in them should be reduced).
NEW
Users need to be aware that intermediaries are no more trustworthy that the
entities that operate them and the policies governing them; HTTP itself cannot
solve this problem.
Editors: 5e9c304
OLD
NEW
Editors: d466398
** Editorial
choices/?
Editors: no, advance has the same meaning as "configuration choices made prior to request"
This text goes from referring to “secured” in the first sentence to
“[acceptable] cryptographic mechanisms” in the second sentence. To link them,
perhaps s/are secured/are cryptographically secured/
Editors: "secured" is a defined term for this spec.
Editors: b211884
or RFC7616 as references.
Editors: it does in HTML: https://www.ietf.org/archive/id/draft-ietf-httpbis-semantics-16.html#name-authentication-scheme
Editors: 521758f
The text was updated successfully, but these errors were encountered: