forked from httpwg/wg-materials
-
Notifications
You must be signed in to change notification settings - Fork 0
/
minutes.txt
719 lines (435 loc) · 21.7 KB
/
minutes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
HTTPbis IETF85 Minutes
======================
Session I
=========
WG status
--------
no bashing
Change overview
---------------
-21 drafts are out and in LC
overview of changes made in the latest draft (substantial only)
no feedback on the changes that were made in the -21 drafts
ACTION: mnot to create a ticket for https caching exception
Security Properties
-------------------
mnot raised the issue of security properties of http and the current
status of the draft (draft-ietf-httpbis-security-properties-05)
barry leiba: not sure that this has any correspondence to reality; if
we adopted something better than basic then we would not need this
(according to S Farrell); not sure what this really has to say
mnot: it needs to more specific if it is to be useful, which limits its
lifetime. This is a product of a bygone era, and we might not have the
expertise to finish this sort of work, regardless of the merits of improving
security as a goal
bleiba: suggested that this be moved to the new authentication bof and
resulting wg
=JeffH: did this as a measure of charity; there might be people who can do
this within this group; i may not have time to continue this myself
bleiba: murray will do it
roy fielding: we haven't added all the security considerations
mnot: are there missing considerations for the broader web
rf: there are http considerations, but those should be in http
documents; if there is anything left, then we can look at that
jh: there is a lot of good stuff that should be written down; but I
haven't done the gap analysis
eliot lear: I agree with the chair that you need implementor interest,
no matter where the work is done. Is there that interest?
mnot: there might be some stuff from here that belongs in drafts, but
some is clearly out of scope
el: please put it to bed
bl: this predates our existing security considerations, which may be
adequate now
sean turner: this would be good to have and it is part of the charter
bl: can you (st) read this and make a recommendation to the group?
mnot: obviously web security has problems, but whatever we produce has
to have some relevance
st: you can force the issue by going to last call; or set a time limit
for "put up or shut up"
mnot: it's still pretty draft-y
Other LC Documents
------------------
rf: last call comments thus far received should take only a short time to
resolve
rf: concerned about the lack of review in p5
mnot: jreschke is expecting to go to proposed standard and to move to full
standard once we've gone through the http/2 process and discovered all the
bugs
mnot: can we go full standard?
alexey melnikov: no
active issues
-------------
jr: (most of these arefrom Dan Winship's review of p1; I haven't
entered those for p2 yet)
===395
rf: do we allow some leniency
mnot: this could just be statements of fact
rf: ok
mnot: do we have other requirements around connection: close ?
mnot: it could be prose
ACTION: make SHOULD statements on Connection header handling prose
instead of 2119 language
### 397
ACTION: put the exception for OPTIONS request to a proxy and the resulting URI
### 22
just tbd, no real issue
### 350
mnot: we can close this one
### mnot's WGLC p1 review
rf: asks for fresh eyes over the drafts
mnot: asks about what is specific to HTTP as opposed to HTTP/1.1; what
can we do to improve the way that this could be made reusable for
HTTP/2
no conclusion
#### What are the parsing requirements for obs-fold with respect to the MUST?
rf: if you can find no interoperable folding implementations, then we
can remove it from the grammar [[scribe: may not have got this right,
action more important to capture]]
ACTION: mnot to run some tests on folding to understand its interoperability
#### shared caching on https
rf: the statement in question only applies to agent-side
intermediaries and user agents, not to content accelerators, which are
part of the origin server
rf: some user agents use a common interface to make the request, then
have separate logic to decide how that information is made available
to other users
rf: to know whether it is safe to send to other servers, you have to
know the content
mnot: you can use Cache-Control
...some disagreement here
roberto peon: there are transformative intermediaries; we don't need to
specify this
mnot: need to know who this applies to
rf: this applies to libraries in clients
mnot: segregation... a shared cache can even apply to the same box
martin t: 'never "public"' contradicts what has been said about caching rules
paul leach: override
Patrick McManus: on a phone, different apps can share the same network context
ACTION: follow up on this issue
### on US-ASCII or a superset of it
mnot: moving on
### on whitespace between start-line and headers
rf: I thought there was some guidance on this
mnot: we should find that text
rf: S19 should not have had any normative requirements in it
mnot: we can remove this then
mnot: think about consolidating the list construction rules that are
specifically called out for Transfer-Coding
rf: this defines the framing and more explicit rules were asked for
mnot: ok
### for render as complete or consider as complete
kevin falk: are you prohibited from using particular code blocks to users?
rf: the important consideration is that the user is able to learn that the
information is incomplete
julian r: that is getting ignored in practice
brian smith: we (Mozilla) ignore this requirement, pages are already displayed
mnot: would it be OK to show status in the web console?
rf: not really
bs: there are UX considerations that make this more difficult than it
would appear
bs: there's not much difference between XHR and the render as HTTP clients
jr: we could add an indicator
ted hardie: visual indicators are not necessarily universally applicable
rpeon: there is a lot of confusion stemming from this statement,
prefer the parenthetical
bsmith: no idea about how XHR works, though it does have streaming
modes; script developers are important
will chan: chrome ux people didn't like the idea of having something in chrome
rf: this is a safety/security feature
kfalk: incomplete !== error
julian: there is a related issue about truncated *downloads* (as in
"save as"); Eric Lawrence once blogged about it
(<http://blogs.msdn.com/b/ieinternals/archive/2011/03/09/browsers-accommodate-incorrect-http-content-length-and-sites-depressingly-depend-on-it.aspx>)
pmcm: rathole, we (Moz) do very little prescribed error handling and
it's strange spending time on this when there are many others; tried
to rollback rendering when MD5 sum failed, got immense push back
mnot: maybe this should be prose
ACTION: Roy to make this prose text in the security considerations
#### whitespace tolerance in headers and the requirement
to product a 400 when the message doesn't match the grammar
#### no enumeration for the hop-by-hop headers that are not required to be
added to Connection header.
rf: this will be forwarded if they aren't in the connection header;
having a list would cause problems with intermediaries that pass these
mnot: this could surprise some people and should be called out
rf: this should be noted as a change from 2616
jr: we already have this
mnot: we probably need a callout for this one
rf: I'm trying to reduce the number of occurences of this; they don't
help the people reading the document for the first time
Server Ranges
-------------
<http://tools.ietf.org/html/draft-kfall-httpbis-server-ranges-00>
mnot: this doesn't really mess with semantics, it only messes with
intermediaries to the extent that range requests are hard to do anyhow
mnot: streaming and ranges require the complete size to be known,
changing the length would not be possible
kfall: that is not part of the proposal
pleach: does this work with unmodified implementations?
kfall: not known
pleach: profile...
mtho: prefer might help to signal (all/some)
mnot/kfall: makes sense
bsmith: if the server provided less, would we be able to render it?
the spec seems arranged around the idea of a "complete message", this
might need to be re-addressed
mnot: disagree, this should be addressed and if you can find something
that isn't, please bring it up
rf: yes
kfall: what now?
rf: how much testing have you done with clients that expected the bits
that they requested?
kfall: that's in part why we asked
rf: testing first might determine how to proceed with this, if this
kills an existing client, then this is a no-go
mnot: 206 is close enough
mnot: mumble, mumble, vary...
rf: vary isn't so relevant in this case, it's for selecting representations
mnot: fine
ACTION: kfall to review -p5
draft-fielding-http-key-01
--------------------------
A not-dumb Vary header
roy outlines the idea that you can make a request without headers to
avoid the fingerprinting thing, detect the variances that might occur,
then make more requests
cyrus daboo: key == too generic
roy: I don't care if its confusing, and number of bytes on the wire
jr: application/*+json, globbing conneg
roy: no, breaks stuff
Session II
==========
ticket #385: upgrade mechanism
------------------------------
<http://trac.tools.ietf.org/wg/httpbis/trac/ticket/385>
### TLS Upgrade for HTTPS URIs
See thread rooted here: http://lists.w3.org/Archives/Public/ietf-http-wg/2012OctDec/0143.html
mnot will send the message suggested in that above message to the tls chairs
and show up in the TLS session this afternoon
### Upgrade for HTTP URIs
Gabriel M. is going to present on upgrade-based negotiation for http/2.0 --
which is one approach to addressing the issues in the "http uris" section of
the issues outlined in the
<http://lists.w3.org/Archives/Public/ietf-http-wg/2012OctDec/0143.html> mail
msg
roy at mike: don't need to prefix the header fields; they're just header fields
mnot: it's side channel info, for optimizing
roy: as soon as sent in http1.1 they're just a header field, register them,
don't need prefix
jhil: would those http2 things get stripped out?
gabriel m (gm): yes
<mbelshe> mic: have any tests been run to confirm viability in the wild? as
presented before, data shows port 80 has trouble with non-http1.1 protocols.
or do we just want to ignore that?
mnot to mike belshe (mb) -- we're getting there
gm @mic: <discussing fine points of upgrade>
phb@mic: 1st thing is successful upgrade, 2nd thing is what to do if it fails
jhil: is there a timing issue with expect 100 continue ?
mnot: do an upgrade and combine with expectation?
roy: wouldn't normally do that. the 1st request you make shouldn't be a large
state changing operation
roy: so you send options or GET first (so it's not a packet loss issue)
jhil: so perhaps need note about that in spec
mnot: discussion we need to have is whether a upgrade like this is workable
for us -- in hybi they figured that about 70% conns using this would be
successful, rest would fail
fielding: you don't upgrade a request while sending a large body and Expect
100-continue -- it is simply not a use case that is relevant. It might work
quite well, but it simply isn't worth being concerned about.
mnot: so perhaps deploying using this it'd encourage the internet to upgrade,
but only if we have fast failure fallback
patrick mcmanus (pm) @mic : in FF, doing 6455 (?) the TLS success rates are
substantially better than the plain success rates. Roughly 80% with TLS, maybe
almost 70% with plain HTTP
<Eliot Lear> mic: what did success mean in this case?
salvatore@mic: its true we had not so good success rate with plain upgrade,
but lots of boxes will be upgraded, and they (?) just relaeased boxes with
spdy support and [we'll see what happens (?)]
mnot: there'll be several versions of the protocol out there because we're
going to try various approaches
mnot: the upgrade mech needs certain capabilities, eg supporting opportunistic
use of TLS
mnot: calling for data on how upgrades are working -- with data we have now,
it seems if we design this thing well it';ll either succeed or fail fast ----
wondering about what folks thing whegther we should go down "this path"
<Eliot Lear> mic: should pursue this path, but need more data.
pm: let's talk about the other approaches
mnot: ok, another approach is "Using a SRV (or other DNS) record" (from
<http://lists.w3.org/Archives/Public/ietf-http-wg/2012OctDec/0143.html>
mnot: have heard that there is general interest in using DNS as a mech, and do
folks think we shouldn't use SRV?
<Eliot Lear> Mic: NOT in favor of SRV.
ekr: this is 1st time mention srv, realise that the TLS server id check you do
is with name you started with, not with the one srv gives you
mnot: yes
jeffh: <thinks rfc6125 discusses this>
<Eliot Lear> Mic: What are the goals? Please be specific!!
<mbelshe> mic: is there a serious proposal around srv? or is this at the
brainstorm stage?
mnot: we're at the brainstorm stage
cyrus d (cd) @mic: i get http://example.com and running http/2 on that, but on
example.com:88 running http/1 ....
pm: if uri contains port, then we're not going to do the srv lookup (?)
phb@mic: the dns is where u make assns re names; should bind names & prots "in
dns"; there's practical issues with doing this; in how clients use dns; don't
nec use srv; want to use dnssec; so going to use "new dns" world anyway; and
so may want srv+ <eg need to invent new dns stuff>
pm: this is more work everywhere, u can set this up; and so in one round trip
get all info u need, can mux with this btwn http 1 & 2 and whatever, <missed
stuff> so this approach gives some nice benefits
? @mic: if u get a diff port from srv, do you use that?
mnot: there's a lot sec related concerns here need to be careful
eric nygren (en): having srv records would be an advantage; addtnl benefit is
having sep servers handling http/1 and http/2 -- help deployment
mnot: inclined to say this (srv/dns stuff) will be a work item for us
mnot: upgrade mech should start in main draft ...3d mech " 2) Using a response
header to hint that HTTP/2 is available on another port" from
<http://lists.w3.org/Archives/Public/ietf-http-wg/2012OctDec/0143.html>
<Eliot Lear> ted: there are still often many different http servers running on
different ports of the same host
roberto: <comment about upgrade detail>
Martin Thomson: Enumeration is: TLS nextproto, HTTP upgrade, srv or other DNS
record, alternate-protocol header
mnot: start developing DNS based, and a response header based mechanism as
well. Selected editors for core HTTP work, Martin Thompson, Aleksy Melnikov,
and Julian Resshke will be helping out
Eliot Lear: I volunteer to develop at least one DNS-based proposal
mnot: don't want to put all work on them
header compression
------------------
<http://trac.tools.ietf.org/wg/httpbis/trac/wiki/HTTP2Compression>
Herve Ruellan slides on HTTP Header Encoding Results
http://www.ietf.org/proceedings/85/slides/slides-85-httpbis-1.pdf
jhil: think about impact on mobile devices such as power required ?
agl @mic: so now spdy compression has issues with trying to avoid crime attack
rp: but its still useful as baseline
mnot: see github.com/http2/http_samples - this is a corpus of header samples;
har files from pcap captures.
cd: what about webdav et al?
mnot: if you want to submit traces for that, please do
jhil: prob need some enterprise traces because of strange cross-domain cookies
we see, but need to anon them
mnot: ... but not concerned about pathological cases
jhil: but might help show which compress scheme is better
mnot: next thing come up with script that analyses this stuff, and eg can emit
a pathological case, and then run compression algs on it and see how it works
rp: can do this in python & work with mnot
roy: http2 is not a minor hack -- need to do it carefully -- perhaps we should
have better encoding for header fields, eg cookies are huge, this could be
binary, if we define an encoding, then can encode cookies when sending over
http and get diff comp results
mnot: we can define new headers that have diff encodings eg binary, and then
downgrade them to eg txt when sending over http/1
roy: a cook header field, obviously can't change that due to existing
browsers, but browsers just store it and replay it; new thing doesn't have to
be compat with existing cookies, so if svr has choice to send short cook
rather than long one....
mnot: two diff things here, one is http1 <-- > http/2 <--> http/1 w/o loss;
the other is doing stuff in http/2 that are new ( and then needing to
downgrade new stuff into http/1 as nec )
mnot: if u can compress a bunch of requests down to fit in one underlying pkt,
then that's very powerful, esp in mobile world; inclined to keep that in mind
when selecting compression approach; .need to keep memory & cpu & power
overheads in mind
rp @mic: web app developers shouldn't have to opt their site to "make it fast"
-- rather should make protocol fast
mnot: yes
phb: what about patent issues in compression?
mnot: they'll have to disclose
phb: if u make disclosure call now it has implications down the road
mnot: we'll deal with that later
mnot: we prob won't choose perfect comp mech for all time, thus negotiate comp
mech?
mnot: if upgrade mech is adequate, then can include comp mech in that, but if
too much optionality there, that's interop probs
mnot: would be nice if can put it into debug mode to see stuff on wire -- so
question to be able to turn comp on/off ?; .thoughts on this?
rp: perhaps can put stuff in there to make debugging "easy" rather than "turn
it off"
mnot: roberto wants to talk about http/w compression
http://tools.ietf.org/html/draft-rpeon-httpbis-header-compression-00
roy: yes, the compression ratio gets better if you send garbage on the wire
roy: notes that a fixed id space is essentially a registry in machine readable
form
rp: yes; but its not a reg that needs to be maintained after its created
martin thompson (mt): dont understand where huffman encoding comes into play?
rp: draft needs work; what is huffman coded is the text in the headers. ran
analysis over sample of headers, and then used that to gen id space
<PHB> seems to me that we are maybe doing this the wrong way
rp: hopefully impl code for this is better to understand than the I-D at this
point :)
mnot: so we know sorta where we going on compression stuff, want to get impls
plugged into the http2 namespace on github -- the more visible we can make
this the better
<Martin Thomson> the question was: do you have a note well on the repo
#387: server push
-----------------
We need more data / experience.
Other Issues
------------
### Flow Control
gabriel montenegro (gm) -- flow control principles for http 2
hildjj: we need TSV help for this part.
roy: init exchange over tcp, client begins; with this do you expect server to
send anything first wrt state?
gm: in spdy there's default 64k per stream
rp: basically need default for safety reasons, but a better FC mech than spdy3
exists, hopefully will be proposed, can make larger than 64k by defualt
ted hardie(th): what impact if doing multipath tcp under this?
gm: yes need to figure out interaction with newish tcp stuff under it
mnot: is FC tightly bound to what xport's properties are?
gm: yes
rp: <nods yes>
jhil: we need early involvement by transport folks, don't wanna make buffer
bloat worse
rp: don't think that's possible
will chan (wc): would hope that FC in http/2 doesn't subvert xport FC; want to
make sure we saturate link; this should be one of the principles
gm: thinks link saturation depends on how the <sliding window / credits >
work; don't have to solve now
alison mankin (am): if receiver has FC turned off by intermediary, that messes
stuff up.
gm: but receiver controls it for his hop. is concerned about middleboxes at
http layer; at that layer the proxy has to heed what endpoint (receiver)
wishes. still concerned on traps that may be there
rp: there's finite buffering available for entire path length; if receiver
says stop, it'll stop eventually; but as soon as an intermediate is in the
path, they have influence on FC
gm: we need to codify the rules in the base spec
mnot: gm will have draft coming out, please review. FC will get a new issue #
### Priorities
pm: priorities need discussion
mnot: will create issue for that (framing, diff frame sizes)
rp: want to agree and disagree wrt priortzn stuff -- need more experimentation
mnot: sure, may defer disc of these issues, but want to get em written down
### Mapping to TCP
eric nygren (en): mapping to tcp -- need to disc
mnot: yes, need optional draft on "how i use tcp"
rp: agree with en that'll be issue, might wanna address earlier, need to get
sec folk thinking about that
en: also has implications for prototcol upgrade mech, signalling may make this
easier or harder
### Framing
gm: did u raise issue on framing itself?
mnot: it will get raised; specific concern; useful for e.g., sendfile()
Wrapup
------
mnot: am gratified to see folks working on drafts; continue doing that; will
use wiki to record current state of proposals; interlink to issue #s; will
also use github; will hand out access to (sub) repositories; the actual drafts
will be in ietf subversion service;
mnot: f2f meetings are effective for work like this, involves lots of folks,
need to confirm decisions on list, tho possiblities of interim meetings, may
be good idea here in earlier phase like this, current plan is interim mtg in
Jan 2013, 2..3 days, offer from Ian Fette to host in Tokyo, need to get dates,
maybe mid Jan to early Feb, pls send dates ideas to mnot
mnot: any more biz ?
phb: discussing compression -- was of msgs, not conversations -- in mobile --
sending "pages" with lists of links --- but maybe do html-conscious
compression ?
jhil: don't we get some of that with svr push?
en: if start with http1, include an encoded blob of handshake framing?
mnot: that's in category of cool tricks we could play.
mnot: keep drafts coming, will send minutes out soon, if hold this interim
mtg, want to make it useful
adjourned