The ORIGIN HTTP/2 Frame
draft-ietf-httpbis-origin-frame-06
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2018-03-20
|
06 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2018-02-26
|
06 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2018-02-14
|
06 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2018-01-22
|
06 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2018-01-22
|
06 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2018-01-16
|
06 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2018-01-16
|
06 | (System) | RFC Editor state changed to EDIT |
2018-01-16
|
06 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2018-01-16
|
06 | (System) | Announcement was received by RFC Editor |
2018-01-15
|
06 | (System) | IANA Action state changed to In Progress |
2018-01-15
|
06 | Cindy Morgan | IESG state changed to Approved-announcement sent from Approved-announcement to be sent::AD Followup |
2018-01-15
|
06 | Cindy Morgan | IESG has approved the document |
2018-01-15
|
06 | Cindy Morgan | Closed "Approve" ballot |
2018-01-15
|
06 | Cindy Morgan | Ballot approval text was generated |
2018-01-13
|
06 | Mark Nottingham | New version available: draft-ietf-httpbis-origin-frame-06.txt |
2018-01-13
|
06 | (System) | New version approved |
2018-01-13
|
06 | (System) | Request for posting confirmation emailed to previous authors: Erik Nygren , Mark Nottingham |
2018-01-13
|
06 | Mark Nottingham | Uploaded new revision |
2018-01-13
|
06 | Mark Nottingham | Uploaded new revision |
2018-01-11
|
05 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2018-01-11
|
05 | Mark Nottingham | New version available: draft-ietf-httpbis-origin-frame-05.txt |
2018-01-11
|
05 | (System) | New version approved |
2018-01-11
|
05 | (System) | Request for posting confirmation emailed to previous authors: Erik Nygren , Mark Nottingham |
2018-01-11
|
05 | Mark Nottingham | Uploaded new revision |
2018-01-11
|
05 | Mark Nottingham | Uploaded new revision |
2018-01-11
|
04 | Tero Kivinen | Closed request for Last Call review by SECDIR with state 'No Response' |
2018-01-11
|
04 | Cindy Morgan | IESG state changed to Approved-announcement to be sent::Revised I-D Needed from IESG Evaluation |
2018-01-10
|
04 | Suresh Krishnan | [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan |
2018-01-10
|
04 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2018-01-10
|
04 | Kathleen Moriarty | [Ballot comment] I'm in agreement with Adam on his first comment and am watching the thread for a resolution. Whether or not there is a … [Ballot comment] I'm in agreement with Adam on his first comment and am watching the thread for a resolution. Whether or not there is a change, more text is clearly needed in the draft. |
2018-01-10
|
04 | Kathleen Moriarty | Ballot comment text updated for Kathleen Moriarty |
2018-01-10
|
04 | Alexey Melnikov | IESG state changed to IESG Evaluation from Waiting for Writeup |
2018-01-09
|
04 | Ben Campbell | [Ballot comment] I share Adam's concern about removing the need for the DNS check and his question about wildcards. -2, first sentence: I originally read … [Ballot comment] I share Adam's concern about removing the need for the DNS check and his question about wildcards. -2, first sentence: I originally read this as citing RFC 7540 for "Origin HTTTP/2 frame" rather than just "HTTP/2 frame". That is, of course, non-sensical, but the wording seems ambiguous. |
2018-01-09
|
04 | Ben Campbell | [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell |
2018-01-09
|
04 | Adam Roach | [Ballot comment] This seems a good mechanism overall. The security property of no longer requiring DNS checks seems a slight bit troublesome, as it (as … [Ballot comment] This seems a good mechanism overall. The security property of no longer requiring DNS checks seems a slight bit troublesome, as it (as the draft acknowledges) makes mounting an attack significantly easier: all that is required is exploiting a CA, rather than the two-step process of doing that plus hijacking DNS in some way. Was there consideration given to advising that implementations perform DNS checks after the fact? This would provide the latency benefits this mechanism is defined for while allowing at least for detection of origin hijacking. Is the omission of wildcard-style origins intentional? Or was this an oversight? It seems that being able to, e.g., send an ORIGIN frame that claims authority over "https://*.blogspot.com:443" would be far more efficient than blasting out the several million or so origins that such machines would be authoritative for (yes, I know this won't be done in practice -- such domains simply won't be able reap the benefits of this mechanism). Ideally, I'd like to see text in here explaining why wildcards shouldn't be specified, or indicating that they might be specified in a future document. Minor nit in Appendix B: Generally, this information is most useful to send before sending any part of a response that might initiate a new connection; for example, "Link" headers [RFC5988] in a response HEADERS, or links in the response body. Presumably, this should reference [RFC8288]. |
2018-01-09
|
04 | Adam Roach | [Ballot Position Update] New position, No Objection, has been recorded for Adam Roach |
2018-01-09
|
04 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2018-01-09
|
04 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2018-01-08
|
04 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2018-01-08
|
04 | Warren Kumari | [Ballot comment] Please also see Jouni Korhonen's OpsDir review for nits and similar. |
2018-01-08
|
04 | Warren Kumari | [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari |
2018-01-08
|
04 | Spencer Dawkins | [Ballot comment] I don't object to publishing this document, but I do have an honest question. Is OCSP sufficiently robust and stable that you're expecting … [Ballot comment] I don't object to publishing this document, but I do have an honest question. Is OCSP sufficiently robust and stable that you're expecting OCSP checks to work as a security mitigation? I remember some concerns about that in the SIP community, probably three years ago, and thought I should ask before the document is approved. |
2018-01-08
|
04 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2018-01-08
|
04 | Mirja Kühlewind | [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind |
2018-01-06
|
04 | Eric Rescorla | [Ballot comment] The ORIGIN HTTP/2 frame ([RFC7540], Section 4) allows a server to indicate what origin(s) [RFC6454] the server … [Ballot comment] The ORIGIN HTTP/2 frame ([RFC7540], Section 4) allows a server to indicate what origin(s) [RFC6454] the server would like the client to The citation here is to the frame format. I think you could make this clearer and also point the user to that section for the conventions, The ORIGIN frame type is 0xc (decimal 12), and contains zero to many Origin-Entry. Nit: "zero or more" is conventional serialization of an origin ([RFC6454], Section 6.2) that the sender believes this connection is or could be authoritative for. What are the semantics of a zero-length origin entry? It seems like an odd thing to allow. Note that for a connection to be considered authoritative for a given origin, the client is still required to obtain a certificate that passes suitable checks; see [RFC7540] Section 9.1.1 for more "Obtain" seems confusing here. Perhaps "the server is still required to authenticate using" viable connection to an origin open at any time. When this occurs, clients SHOULD not emit new requests on any connection whose Origin Set is a proper subset of another connection's Origin Set, and SHOULD Nit: SHOULD NOT |
2018-01-06
|
04 | Eric Rescorla | [Ballot Position Update] New position, No Objection, has been recorded for Eric Rescorla |
2018-01-06
|
04 | Alexey Melnikov | [Ballot comment] Need to chase minor changes based on AD review: some small changes were promised by editors. IDNits reports: ** Downref: Normative reference to … |
2018-01-06
|
04 | Alexey Melnikov | Ballot comment text updated for Alexey Melnikov |
2018-01-06
|
04 | Alexey Melnikov | [Ballot comment] Need to chase minor changes based on AD review: some small changes were promised by editors. |
2018-01-06
|
04 | Alexey Melnikov | Ballot comment text updated for Alexey Melnikov |
2018-01-06
|
04 | Alexey Melnikov | Ballot has been issued |
2018-01-06
|
04 | Alexey Melnikov | [Ballot Position Update] New position, Yes, has been recorded for Alexey Melnikov |
2018-01-06
|
04 | Alexey Melnikov | Created "Approve" ballot |
2018-01-06
|
04 | Alexey Melnikov | Ballot writeup was changed |
2017-12-01
|
04 | Jouni Korhonen | Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Jouni Korhonen. Sent review to list. |
2017-11-30
|
04 | Alexey Melnikov | Placed on agenda for telechat - 2018-01-11 |
2017-11-30
|
04 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2017-11-29
|
04 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2017-11-29
|
04 | Amanda Baber | (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-ietf-httpbis-origin-frame-04. If any part of this review is inaccurate, please let … (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-ietf-httpbis-origin-frame-04. If any part of this review is inaccurate, please let us know. The IANA Services Operator understands that, upon approval of this document, there is a single action which we must complete. However, there is a problem with the way this action is currently described in the document. In the HTTP/2 Frame Type registry on the Hypertext Transfer Protocol version 2 (HTTP/2) Parameters registry page located at https://www.iana.org/assignments/http2-parameters/ a single new Frame Type will be registered as follows: Code: [ TBD-at-registration ] Frame Type: ORIGIN Reference: [ RFC-to-be ] The problem is that the authors have stated that the value for this assignment is 0xc, but we can't reserve values or guarantee that that value will be assigned. If another document requesting 0xc or the next two available values were to be approved for publication first, we would have to assign value 0xc to that document. Either this document should note that 0xc is a suggested value, or the chairs (with WG and AD approval) should submit a request for the early allocation of 0xc, as described in Section 3 of RFC 7120. An early allocation lasts for one year and can be renewed for one additional year. Further renewals would require IESG approval. If this message does not accurately describe the registry actions requested by the document, please contact us. Thank you, Amanda Baber Lead IANA Services Specialist |
2017-11-25
|
04 | Brian Carpenter | Request for Last Call review by GENART Completed: Ready with Issues. Reviewer: Brian Carpenter. Sent review to list. |
2017-11-23
|
04 | Jean Mahoney | Request for Last Call review by GENART is assigned to Brian Carpenter |
2017-11-23
|
04 | Jean Mahoney | Request for Last Call review by GENART is assigned to Brian Carpenter |
2017-11-21
|
04 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Jouni Korhonen |
2017-11-21
|
04 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Jouni Korhonen |
2017-11-18
|
04 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Sandra Murphy |
2017-11-18
|
04 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Sandra Murphy |
2017-11-16
|
04 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2017-11-16
|
04 | Amy Vezza | The following Last Call announcement was sent out (ends 2017-11-30): From: The IESG To: IETF-Announce CC: httpbis-chairs@ietf.org, draft-ietf-httpbis-origin-frame@ietf.org, mcmanus@ducksong.com, ietf-http-wg@w3.org, alexey.melnikov@isode.com … The following Last Call announcement was sent out (ends 2017-11-30): From: The IESG To: IETF-Announce CC: httpbis-chairs@ietf.org, draft-ietf-httpbis-origin-frame@ietf.org, mcmanus@ducksong.com, ietf-http-wg@w3.org, alexey.melnikov@isode.com, Patrick McManus Reply-To: ietf@ietf.org Sender: Subject: Last Call: (The ORIGIN HTTP/2 Frame) to Proposed Standard The IESG has received a request from the Hypertext Transfer Protocol WG (httpbis) to consider the following document: - 'The ORIGIN HTTP/2 Frame' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2017-11-30. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies the ORIGIN frame for HTTP/2, to indicate what origins are available on a given connection. Note to Readers Discussion of this draft takes place on the HTTP working group mailing list (ietf-http-wg@w3.org), which is archived at https://lists.w3.org/Archives/Public/ietf-http-wg/. Working Group information can be found at http://httpwg.github.io/; source code and issues list for this draft can be found at https://github.com/httpwg/http-extensions/labels/origin-frame. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-httpbis-origin-frame/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-httpbis-origin-frame/ballot/ No IPR declarations have been submitted directly on this I-D. |
2017-11-16
|
04 | Amy Vezza | IESG state changed to In Last Call from Last Call Requested |
2017-11-16
|
04 | Alexey Melnikov | Last call was requested |
2017-11-16
|
04 | Alexey Melnikov | Last call announcement was generated |
2017-11-16
|
04 | Alexey Melnikov | Ballot approval text was generated |
2017-11-16
|
04 | Alexey Melnikov | Ballot writeup was generated |
2017-11-16
|
04 | Alexey Melnikov | IESG state changed to Last Call Requested from AD Evaluation |
2017-11-16
|
04 | Alexey Melnikov | IESG state changed to AD Evaluation from Publication Requested |
2017-11-03
|
04 | Patrick McManus | # Shepherd Writeup for The ORIGIN HTTP/2 Frame ## 1. Summary Patrick McManus is the document shepherd; Alexey Melnikov is the responsible Area Director. This … # Shepherd Writeup for The ORIGIN HTTP/2 Frame ## 1. Summary Patrick McManus is the document shepherd; Alexey Melnikov is the responsible Area Director. This document creates an [HTTP/2](https://tools.ietf.org/html/rfc7540) extension for finer grained control of connection management than is provided by the base HTTP/2 specification. In this context that specifically means the set of origin names that may be served on one connection. The document provides for changing that set to be both smaller or larger than the default. ## 2. Review and Consensus Participation in the document's review and discussion was unusually broad based with members of the community from many roles taking part (browsers, servers, CDNs, security engineers, etc..). There is broad agreement that the functionality provides benefits to HTTP latency, efficiency, and administrative flexibility. Two key aspects of the draft, the ability to remove origin names from the default set and the syntax to manage the set, underwent several iterations based on the working group's feedback and arrived at a strong consensus. The aspects of this document dealing with the relationship of HTTPS connection management and DNS were the most controversial and required the most change to reach consensus. This mechanism addresses experience with RFC 7540 which shows the existing DNS based mechanism is administratively onerous and error prone. The change also has benefits for performance and confidentiality. On the other hand, the change increases the importance of proper certificate security because key compromise can now be exploited without being an on-path attacker. The final position of the draft is that an Origin extension relaxes the requirements for name resolution (but never certificate verification) if a client concludes the new risks are mitigated by alternative signals that boost confidence in the certificate. The Security Considerations deals with the topic at some length. This position reached rough consensus. There are statements of intent to implement from browser, servers, and CDNs. There is an existing browser implementation. ## 3. Intellectual Property Each author has stated that their direct, personal knowledge of any IPR related to this document has already been disclosed, in conformance with BCPs 78 and 79. No IPR disclosures have been submitted regarding this document. ## 4. Other Points The IANA Considerations are clear and there are no downward references. |
2017-11-03
|
04 | Patrick McManus | Responsible AD changed to Alexey Melnikov |
2017-11-03
|
04 | Patrick McManus | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2017-11-03
|
04 | Patrick McManus | IESG state changed to Publication Requested |
2017-11-03
|
04 | Patrick McManus | IESG process started in state Publication Requested |
2017-11-03
|
04 | Patrick McManus | Changed document writeup |
2017-11-03
|
04 | Patrick McManus | Notification list changed to Patrick McManus <mcmanus@ducksong.com> |
2017-11-03
|
04 | Patrick McManus | Document shepherd changed to Patrick McManus |
2017-10-26
|
04 | Patrick McManus | IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call |
2017-09-22
|
04 | Patrick McManus | Notification list changed to none from "Natasha Rooney" <nrooney@gsma.com> |
2017-09-22
|
04 | Patrick McManus | Document shepherd changed to (None) |
2017-09-12
|
04 | Patrick McManus | IETF WG state changed to In WG Last Call from WG Document |
2017-09-11
|
04 | Mark Nottingham | IETF WG state changed to WG Document from Parked WG Document |
2017-08-23
|
04 | Mark Nottingham | New version available: draft-ietf-httpbis-origin-frame-04.txt |
2017-08-23
|
04 | (System) | New version approved |
2017-08-23
|
04 | (System) | Request for posting confirmation emailed to previous authors: Erik Nygren , Mark Nottingham |
2017-08-23
|
04 | Mark Nottingham | Uploaded new revision |
2017-04-19
|
03 | Mark Nottingham | New version available: draft-ietf-httpbis-origin-frame-03.txt |
2017-04-19
|
03 | (System) | New version approved |
2017-04-19
|
03 | (System) | Request for posting confirmation emailed to previous authors: Erik Nygren , Mark Nottingham |
2017-04-19
|
03 | Mark Nottingham | Uploaded new revision |
2017-03-21
|
02 | Patrick McManus | Added to session: IETF-98: httpbis Fri-0900 |
2017-02-12
|
02 | Mark Nottingham | New version available: draft-ietf-httpbis-origin-frame-02.txt |
2017-02-12
|
02 | (System) | New version approved |
2017-02-12
|
02 | (System) | Request for posting confirmation emailed to previous authors: "Mark Nottingham" , "Erik Nygren" |
2017-02-12
|
02 | Mark Nottingham | Uploaded new revision |
2016-11-20
|
01 | Mark Nottingham | IETF WG state changed to Parked WG Document from WG Document |
2016-11-13
|
01 | Patrick McManus | Added to session: IETF-97: httpbis Tue-1330 |
2016-09-27
|
01 | Mark Nottingham | New version available: draft-ietf-httpbis-origin-frame-01.txt |
2016-09-27
|
01 | Mark Nottingham | New version approved |
2016-09-27
|
01 | Mark Nottingham | Request for posting confirmation emailed to previous authors: "Mark Nottingham" , "Erik Nygren" |
2016-09-27
|
01 | (System) | Uploaded new revision |
2016-05-09
|
00 | Mark Nottingham | Notification list changed to "Natasha Rooney" <nrooney@gsma.com> |
2016-05-09
|
00 | Mark Nottingham | Document shepherd changed to Natasha Rooney |
2016-05-09
|
00 | Mark Nottingham | Changed consensus to Yes from Unknown |
2016-05-09
|
00 | Mark Nottingham | Intended Status changed to Proposed Standard from None |
2016-05-09
|
00 | Mark Nottingham | This document now replaces draft-nottingham-httpbis-origin-frame instead of None |
2016-05-09
|
00 | Mark Nottingham | New version available: draft-ietf-httpbis-origin-frame-00.txt |