Opportunistic Security for HTTP/2
RFC 8164
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2021-12-10
|
11 | (System) | Received changes through RFC Editor sync (changed standardization level to Historic) |
2021-12-06
|
11 | Amy Vezza | New status of Historic approved by the IESG https://datatracker.ietf.org/doc/status-change-http-experiments-to-historic/ |
2017-05-19
|
11 | (System) | Received changes through RFC Editor sync (added Errata tag) |
2017-05-10
|
11 | (System) | Received changes through RFC Editor sync (created alias RFC 8164, changed abstract to 'This document describes how "http" URIs can be accessed using Transport … Received changes through RFC Editor sync (created alias RFC 8164, changed abstract to 'This document describes how "http" URIs can be accessed using Transport Layer Security (TLS) and HTTP/2 to mitigate pervasive monitoring attacks. This mechanism not a replacement for "https" URIs; it is vulnerable to active attacks.', changed pages to 10, changed standardization level to Experimental, changed state to RFC, added RFC published event at 2017-05-10, changed IESG state to RFC Published) |
2017-05-10
|
11 | (System) | RFC published |
2017-05-09
|
11 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2017-05-03
|
11 | (System) | RFC Editor state changed to AUTH48 from EDIT |
2017-04-21
|
11 | Gunter Van de Velde | Closed request for Last Call review by OPSDIR with state 'No Response' |
2017-03-21
|
11 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2017-03-21
|
11 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2017-03-20
|
11 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2017-03-20
|
11 | (System) | RFC Editor state changed to EDIT |
2017-03-20
|
11 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2017-03-20
|
11 | (System) | Announcement was received by RFC Editor |
2017-03-20
|
11 | (System) | IANA Action state changed to In Progress |
2017-03-20
|
11 | Amy Vezza | IESG state changed to Approved-announcement sent from Approved-announcement to be sent::Point Raised - writeup needed |
2017-03-20
|
11 | Amy Vezza | IESG has approved the document |
2017-03-20
|
11 | Amy Vezza | Closed "Approve" ballot |
2017-03-20
|
11 | Amy Vezza | Ballot approval text was generated |
2017-03-17
|
11 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2017-03-17
|
11 | Cindy Morgan | New version available: draft-ietf-httpbis-http2-encryption-11.txt |
2017-03-17
|
11 | (System) | Secretariat manually posting. Approvals already received |
2017-03-17
|
11 | Cindy Morgan | Uploaded new revision |
2017-03-16
|
10 | Cindy Morgan | IESG state changed to Approved-announcement to be sent::Point Raised - writeup needed from IESG Evaluation |
2017-03-16
|
10 | Stephen Farrell | [Ballot comment] Good to see this finished. I hope it sees good deployment. Thanks! |
2017-03-16
|
10 | Stephen Farrell | [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell |
2017-03-16
|
10 | Joel Jaeggli | [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli |
2017-03-15
|
10 | Ben Campbell | [Ballot comment] I'm balloting "yes", but I have a few minor comments: - Abstract: I agree with the GenART review that the limitations should be … [Ballot comment] I'm balloting "yes", but I have a few minor comments: - Abstract: I agree with the GenART review that the limitations should be mentioned in the abstract, or at least early in the document. - Note to readers: Will this stay in the RFC? - Introduction: What is the nature of the experiment? Is there an expectation to promote it to standards track in the future? Even if the answer is "We need to get implementation/deployment experience", it's helpful to say "out loud". |
2017-03-15
|
10 | Ben Campbell | [Ballot Position Update] New position, Yes, has been recorded for Ben Campbell |
2017-03-15
|
10 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko |
2017-03-15
|
10 | Suresh Krishnan | [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan |
2017-03-15
|
10 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2017-03-15
|
10 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2017-03-15
|
10 | Kathleen Moriarty | [Ballot Position Update] New position, No Objection, has been recorded for Kathleen Moriarty |
2017-03-15
|
10 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2017-03-10
|
10 | Mirja Kühlewind | [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind |
2017-03-08
|
10 | Alexey Melnikov | IESG state changed to IESG Evaluation from Waiting for Writeup |
2017-03-08
|
10 | Alexey Melnikov | Ballot has been issued |
2017-03-08
|
10 | Alexey Melnikov | [Ballot Position Update] New position, Yes, has been recorded for Alexey Melnikov |
2017-03-08
|
10 | Alexey Melnikov | Created "Approve" ballot |
2017-03-08
|
10 | Alexey Melnikov | Ballot writeup was changed |
2017-03-06
|
10 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2017-03-03
|
10 | Sabrina Tanamal | IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK |
2017-03-03
|
10 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2017-03-03
|
10 | Sabrina Tanamal | (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-ietf-httpbis-http2-encryption-10.txt. If any part of this review is inaccurate, please let … (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-ietf-httpbis-http2-encryption-10.txt. If any part of this review is inaccurate, please let us know. The IANA Services Operator understands that, upon approval of this document, there is a single action which we must complete. In the Well-Known URIs registry located at: https://www.iana.org/assignments/well-known-uris/ a new registration will be made as follows: URI Suffix: http-opportunistic Change Controller: IETF Reference: [ RFC-to-be ] Related information: Date registered: [ TBD ] Because this registry requires Expert Review [RFC5226] for registration, we've contacted the IESG-designated expert in a separate ticket to request approval. Expert review should be completed before your document can be approved for publication as an RFC. The IANA Services Operator understands that this is the only action required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. Thank you, Sabrina Tanamal IANA Services Specialist PTI |
2017-03-02
|
10 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Nits. Reviewer: Charlie Kaufman. |
2017-02-27
|
10 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Tim Wicinski |
2017-02-27
|
10 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Tim Wicinski |
2017-02-25
|
10 | Brian Carpenter | Request for Last Call review by GENART Completed: Ready with Issues. Reviewer: Brian Carpenter. Sent review to list. |
2017-02-23
|
10 | Jean Mahoney | Request for Last Call review by GENART is assigned to Brian Carpenter |
2017-02-23
|
10 | Jean Mahoney | Request for Last Call review by GENART is assigned to Brian Carpenter |
2017-02-23
|
10 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Charlie Kaufman |
2017-02-23
|
10 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Charlie Kaufman |
2017-02-22
|
10 | Alexey Melnikov | Placed on agenda for telechat - 2017-03-16 |
2017-02-20
|
10 | Cindy Morgan | IANA Review state changed to IANA - Review Needed |
2017-02-20
|
10 | Cindy Morgan | The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: draft-ietf-httpbis-http2-encryption@ietf.org, alexey.melnikov@isode.com, ietf-http-wg@w3.org, httpbis-chairs@ietf.org, michael.bishop@microsoft.com Reply-To: ietf@ietf.org … The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: draft-ietf-httpbis-http2-encryption@ietf.org, alexey.melnikov@isode.com, ietf-http-wg@w3.org, httpbis-chairs@ietf.org, michael.bishop@microsoft.com Reply-To: ietf@ietf.org Sender: Subject: Last Call: (Opportunistic Security for HTTP) to Experimental RFC The IESG has received a request from the Hypertext Transfer Protocol WG (httpbis) to consider the following document: - 'Opportunistic Security for HTTP' as Experimental RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2017-03-06. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document describes how "http" URIs can be accessed using Transport Layer Security (TLS) to mitigate pervasive monitoring attacks. Note to Readers Discussion of this draft takes place on the HTTP working group mailing list (ietf-http-wg@w3.org), which is archived at https://lists.w3.org/Archives/Public/ietf-http-wg/ . Working Group information can be found at http://httpwg.github.io/ ; source code and issues list for this draft can be found at https://github.com/httpwg/http-extensions/labels/opp-sec . The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2-encryption/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2-encryption/ballot/ No IPR declarations have been submitted directly on this I-D. |
2017-02-20
|
10 | Cindy Morgan | IESG state changed to In Last Call from Last Call Requested |
2017-02-20
|
10 | Cindy Morgan | Last call announcement was generated |
2017-02-19
|
10 | Alexey Melnikov | Last call was requested |
2017-02-19
|
10 | Alexey Melnikov | Last call announcement was generated |
2017-02-19
|
10 | Alexey Melnikov | Ballot approval text was generated |
2017-02-19
|
10 | Alexey Melnikov | Ballot writeup was generated |
2017-02-19
|
10 | Alexey Melnikov | IESG state changed to Last Call Requested from AD Evaluation |
2017-02-19
|
10 | Alexey Melnikov | IESG state changed to AD Evaluation from Publication Requested |
2017-02-19
|
10 | Alexey Melnikov | Changed consensus to Yes from Unknown |
2017-02-15
|
10 | Cindy Morgan | Notification list changed to michael.bishop@microsoft.com |
2017-02-15
|
10 | Mark Nottingham | # Shepherd Writeup for HTTP Opportunistic Security ## 1. Summary Mike Bishop is the document shepherd; Alexey Melnikov is the responsible Area Director. This document … # Shepherd Writeup for HTTP Opportunistic Security ## 1. Summary Mike Bishop is the document shepherd; Alexey Melnikov is the responsible Area Director. This document presents an experimental way to use [Alt-Svc](https://tools.ietf.org/html/rfc7838) to achieve opportunistic encryption connections to http:// schemed resources. While this does not offer the true security guarantees of the https:// scheme, it does improve resistance to passive surveillance by requiring some minimal level of active attack to defeat. ## 2. Review and Consensus The document has been closely reviewed and discussed by a small number of vocal participants, with a larger number of other participants adding occasional feedback. The community is generally divided about the utility of providing a tool which is so easily defeated by an active attacker, but there have been very few who believe this experiment would be detrimental. The primary concern voiced by dissenters has been that widespread deployment might provide a false sense of security, slowing the adoption of "real" HTTPS or confusing users. The restriction in section 4.1 was added to help mitigate this concern. RFC 7838 requires "reasonable assurances" that the alternative was under the control of the same authority as the origin. RFC 7838 defines only one means of having such assurance: possession of a TLS certificate for the origin. After much discussion, this draft maintains that definition and requires the use of fully verified certificates. The other item of particular concern around using RFC7838 with http:// URIs was server support for receiving requests for http:// schemed resources on ports configured to use TLS. While HTTP/1.1 might permit and HTTP/2 mandates the inclusion of the URL scheme with the request, it appears that almost no server implementations treat the included scheme as more authoritative than the port on which it was received. This is noted in section 4.4. As a result, the final version of this document prohibits the use of HTTP/1.1 and uses the .well-known resource as a server's self-certification that it can correctly distinguish such requests. A primary learning from experimentation with this draft will be to what degree this server behavior presents a deployment issue in the real world, and the degree to which servers will incorrectly claim this capability. There is a client implementation in Mozilla Firefox, though other browsers have expressed limited interest at this time. No explicit implementation of this draft is required in server software (the necessary resources and headers can be administratively configured). ## 3. Intellectual Property Each author has stated that their direct, personal knowledge of any IPR related to this document has already been disclosed, in conformance with BCPs 78 and 79. No IPR disclosures have been submitted regarding this document. ## 4. Other Points There are no downward references. The IANA Considerations are clear, and the Expert Reviewer for the affected registry is an author of this draft. |
2017-02-15
|
10 | Mark Nottingham | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2017-02-15
|
10 | Mark Nottingham | IESG state changed to Publication Requested from AD is watching |
2017-02-15
|
10 | Mark Nottingham | Tag Revised I-D Needed - Issue raised by WGLC cleared. |
2017-02-15
|
10 | Mark Nottingham | IETF WG state changed to WG Consensus: Waiting for Write-Up from Waiting for WG Chair Go-Ahead |
2017-02-15
|
10 | Mike Bishop | # Shepherd Writeup for HTTP Opportunistic Security ## 1. Summary Mike Bishop is the document shepherd; Alexey Melnikov is the responsible Area Director. This document … # Shepherd Writeup for HTTP Opportunistic Security ## 1. Summary Mike Bishop is the document shepherd; Alexey Melnikov is the responsible Area Director. This document presents an experimental way to use [Alt-Svc](https://tools.ietf.org/html/rfc7838) to achieve opportunistic encryption connections to http:// schemed resources. While this does not offer the true security guarantees of the https:// scheme, it does improve resistance to passive surveillance by requiring some minimal level of active attack to defeat. ## 2. Review and Consensus The document has been closely reviewed and discussed by a small number of vocal participants, with a larger number of other participants adding occasional feedback. The community is generally divided about the utility of providing a tool which is so easily defeated by an active attacker, but there have been very few who believe this experiment would be detrimental. The primary concern voiced by dissenters has been that widespread deployment might provide a false sense of security, slowing the adoption of "real" HTTPS or confusing users. The restriction in section 4.1 was added to help mitigate this concern. RFC 7838 requires "reasonable assurances" that the alternative was under the control of the same authority as the origin. RFC 7838 defines only one means of having such assurance: possession of a TLS certificate for the origin. After much discussion, this draft maintains that definition and requires the use of fully verified certificates. The other item of particular concern around using RFC7838 with http:// URIs was server support for receiving requests for http:// schemed resources on ports configured to use TLS. While HTTP/1.1 might permit and HTTP/2 mandates the inclusion of the URL scheme with the request, it appears that almost no server implementations treat the included scheme as more authoritative than the port on which it was received. This is noted in section 4.4. As a result, the final version of this document prohibits the use of HTTP/1.1 and uses the .well-known resource as a server's self-certification that it can correctly distinguish such requests. A primary learning from experimentation with this draft will be to what degree this server behavior presents a deployment issue in the real world, and the degree to which servers will incorrectly claim this capability. There is a client implementation in Mozilla Firefox, though other browsers have expressed limited interest at this time. No explicit implementation of this draft is required in server software (the necessary resources and headers can be administratively configured). ## 3. Intellectual Property Each author has stated that their direct, personal knowledge of any IPR related to this document has already been disclosed, in conformance with BCPs 78 and 79. No IPR disclosures have been submitted regarding this document. ## 4. Other Points There are no downward references. The IANA Considerations are clear, and the Expert Reviewer for the affected registry is an author of this draft. |
2017-01-31
|
10 | Martin Thomson | New version available: draft-ietf-httpbis-http2-encryption-10.txt |
2017-01-31
|
10 | (System) | New version approved |
2017-01-31
|
10 | (System) | Request for posting confirmation emailed to previous authors: "Mark Nottingham" , "Martin Thomson" |
2017-01-31
|
10 | Martin Thomson | Uploaded new revision |
2016-12-21
|
09 | Martin Thomson | New version available: draft-ietf-httpbis-http2-encryption-09.txt |
2016-12-21
|
09 | (System) | New version approved |
2016-12-21
|
09 | (System) | Request for posting confirmation emailed to previous authors: "Mark Nottingham" , "Martin Thomson" |
2016-12-21
|
09 | Martin Thomson | Uploaded new revision |
2016-11-13
|
08 | Patrick McManus | Added to session: IETF-97: httpbis Tue-1330 |
2016-10-31
|
08 | Martin Thomson | New version available: draft-ietf-httpbis-http2-encryption-08.txt |
2016-10-31
|
08 | (System) | New version approved |
2016-10-31
|
08 | (System) | Request for posting confirmation emailed to previous authors: "Mark Nottingham" , "Martin Thomson" |
2016-10-31
|
08 | Martin Thomson | Uploaded new revision |
2016-10-03
|
07 | Mark Nottingham | New version available: draft-ietf-httpbis-http2-encryption-07.txt |
2016-10-03
|
07 | (System) | New version approved |
2016-10-03
|
07 | (System) | Request for posting confirmation emailed to previous authors: "Mark Nottingham" , "Martin Thomson" |
2016-10-03
|
07 | Mark Nottingham | Uploaded new revision |
2016-07-18
|
06 | Alexey Melnikov | IESG process started in state AD is watching |
2016-07-18
|
06 | (System) | Earlier history may be found in the Comment Log for /doc/draft-nottingham-http2-encryption/ |
2016-07-11
|
06 | Mark Nottingham | Tag Revised I-D Needed - Issue raised by WGLC set. |
2016-07-11
|
06 | Mark Nottingham | IETF WG state changed to Waiting for WG Chair Go-Ahead from In WG Last Call |
2016-07-11
|
06 | Mark Nottingham | Changed document writeup |
2016-06-20
|
06 | Mark Nottingham | New version available: draft-ietf-httpbis-http2-encryption-06.txt |
2016-05-30
|
05 | Mark Nottingham | New version available: draft-ietf-httpbis-http2-encryption-05.txt |
2016-03-16
|
04 | Mark Nottingham | IETF WG state changed to In WG Last Call from WG Document |
2016-03-16
|
04 | Mark Nottingham | New version available: draft-ietf-httpbis-http2-encryption-04.txt |
2015-12-20
|
03 | Mark Nottingham | Notification list changed to "Mike Bishop" <michael.bishop@microsoft.com> |
2015-12-20
|
03 | Mark Nottingham | Document shepherd changed to Mike Bishop |
2015-12-17
|
03 | Martin Thomson | New version available: draft-ietf-httpbis-http2-encryption-03.txt |
2015-12-06
|
02 | Mark Nottingham | Document shepherd changed to (None) |
2015-10-14
|
02 | (System) | Notify list changed from "Mark Nottingham" to (None) |
2015-06-15
|
02 | Martin Thomson | New version available: draft-ietf-httpbis-http2-encryption-02.txt |
2015-02-10
|
01 | Mark Nottingham | Intended Status changed to Experimental from Proposed Standard |
2015-02-10
|
01 | Mark Nottingham | Notification list changed to "Mark Nottingham" <mnot@mnot.net> |
2015-02-10
|
01 | Mark Nottingham | Document shepherd changed to Mark Nottingham |
2015-02-10
|
01 | Mark Nottingham | Intended Status changed to Proposed Standard from None |
2014-12-15
|
01 | Martin Thomson | New version available: draft-ietf-httpbis-http2-encryption-01.txt |
2014-07-01
|
00 | Mark Nottingham | This document now replaces draft-nottingham-http2-encryption instead of None |
2014-06-14
|
00 | Martin Thomson | New version available: draft-ietf-httpbis-http2-encryption-00.txt |