Skip to main content

Opportunistic Security for HTTP/2
RFC 8164

Revision differences

Document history

Date Rev. By Action
2021-12-10
11 (System) Received changes through RFC Editor sync (changed standardization level to Historic)
2021-12-06
11 Amy Vezza New status of Historic approved by the IESG
https://datatracker.ietf.org/doc/status-change-http-experiments-to-historic/
2017-05-19
11 (System) Received changes through RFC Editor sync (added Errata tag)
2017-05-10
11 (System)
Received changes through RFC Editor sync (created alias RFC 8164, changed abstract to 'This document describes how "http" URIs can be accessed using Transport …
Received changes through RFC Editor sync (created alias RFC 8164, changed abstract to 'This document describes how "http" URIs can be accessed using Transport Layer Security (TLS) and HTTP/2 to mitigate pervasive monitoring attacks.  This mechanism not a replacement for "https" URIs; it is vulnerable to active attacks.', changed pages to 10, changed standardization level to Experimental, changed state to RFC, added RFC published event at 2017-05-10, changed IESG state to RFC Published)
2017-05-10
11 (System) RFC published
2017-05-09
11 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2017-05-03
11 (System) RFC Editor state changed to AUTH48 from EDIT
2017-04-21
11 Gunter Van de Velde Closed request for Last Call review by OPSDIR with state 'No Response'
2017-03-21
11 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2017-03-21
11 (System) IANA Action state changed to Waiting on RFC Editor from Waiting on Authors
2017-03-20
11 (System) IANA Action state changed to Waiting on Authors from In Progress
2017-03-20
11 (System) RFC Editor state changed to EDIT
2017-03-20
11 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2017-03-20
11 (System) Announcement was received by RFC Editor
2017-03-20
11 (System) IANA Action state changed to In Progress
2017-03-20
11 Amy Vezza IESG state changed to Approved-announcement sent from Approved-announcement to be sent::Point Raised - writeup needed
2017-03-20
11 Amy Vezza IESG has approved the document
2017-03-20
11 Amy Vezza Closed "Approve" ballot
2017-03-20
11 Amy Vezza Ballot approval text was generated
2017-03-17
11 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2017-03-17
11 Cindy Morgan New version available: draft-ietf-httpbis-http2-encryption-11.txt
2017-03-17
11 (System) Secretariat manually posting. Approvals already received
2017-03-17
11 Cindy Morgan Uploaded new revision
2017-03-16
10 Cindy Morgan IESG state changed to Approved-announcement to be sent::Point Raised - writeup needed from IESG Evaluation
2017-03-16
10 Stephen Farrell [Ballot comment]

Good to see this finished. I hope it sees good deployment.
Thanks!
2017-03-16
10 Stephen Farrell [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell
2017-03-16
10 Joel Jaeggli [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli
2017-03-15
10 Ben Campbell
[Ballot comment]
I'm balloting "yes", but I have a few minor comments:

- Abstract: I agree with the GenART review that the limitations should be …
[Ballot comment]
I'm balloting "yes", but I have a few minor comments:

- Abstract: I agree with the GenART review that the limitations should be mentioned in the abstract, or at least early in the document.

- Note to readers: Will this stay in the RFC?

- Introduction: What is the nature of the experiment? Is there an expectation to promote it to standards track in the future? Even if the answer is "We need to get implementation/deployment experience", it's helpful to say "out loud".
2017-03-15
10 Ben Campbell [Ballot Position Update] New position, Yes, has been recorded for Ben Campbell
2017-03-15
10 Jari Arkko [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko
2017-03-15
10 Suresh Krishnan [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan
2017-03-15
10 Alia Atlas [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas
2017-03-15
10 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2017-03-15
10 Kathleen Moriarty [Ballot Position Update] New position, No Objection, has been recorded for Kathleen Moriarty
2017-03-15
10 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2017-03-10
10 Mirja Kühlewind [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind
2017-03-08
10 Alexey Melnikov IESG state changed to IESG Evaluation from Waiting for Writeup
2017-03-08
10 Alexey Melnikov Ballot has been issued
2017-03-08
10 Alexey Melnikov [Ballot Position Update] New position, Yes, has been recorded for Alexey Melnikov
2017-03-08
10 Alexey Melnikov Created "Approve" ballot
2017-03-08
10 Alexey Melnikov Ballot writeup was changed
2017-03-06
10 (System) IESG state changed to Waiting for Writeup from In Last Call
2017-03-03
10 Sabrina Tanamal IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK
2017-03-03
10 (System) IANA Review state changed to IANA - Not OK from IANA - Review Needed
2017-03-03
10 Sabrina Tanamal
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-httpbis-http2-encryption-10.txt. If any part of this review is inaccurate, please let …
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-httpbis-http2-encryption-10.txt. If any part of this review is inaccurate, please let us know.

The IANA Services Operator understands that, upon approval of this document, there is a single action which we must complete.

In the Well-Known URIs registry located at:

https://www.iana.org/assignments/well-known-uris/

a new registration will be made as follows:

URI Suffix: http-opportunistic
Change Controller: IETF
Reference: [ RFC-to-be ]
Related information:
Date registered: [ TBD ]

Because this registry requires Expert Review [RFC5226] for registration, we've contacted the IESG-designated expert in a separate ticket to request approval. Expert review should be completed before your document can be approved for publication as an RFC.

The IANA Services Operator understands that this is the only action required to be completed
upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

Thank you,

Sabrina Tanamal
IANA Services Specialist
PTI
2017-03-02
10 Tero Kivinen Request for Last Call review by SECDIR Completed: Has Nits. Reviewer: Charlie Kaufman.
2017-02-27
10 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Tim Wicinski
2017-02-27
10 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Tim Wicinski
2017-02-25
10 Brian Carpenter Request for Last Call review by GENART Completed: Ready with Issues. Reviewer: Brian Carpenter. Sent review to list.
2017-02-23
10 Jean Mahoney Request for Last Call review by GENART is assigned to Brian Carpenter
2017-02-23
10 Jean Mahoney Request for Last Call review by GENART is assigned to Brian Carpenter
2017-02-23
10 Tero Kivinen Request for Last Call review by SECDIR is assigned to Charlie Kaufman
2017-02-23
10 Tero Kivinen Request for Last Call review by SECDIR is assigned to Charlie Kaufman
2017-02-22
10 Alexey Melnikov Placed on agenda for telechat - 2017-03-16
2017-02-20
10 Cindy Morgan IANA Review state changed to IANA - Review Needed
2017-02-20
10 Cindy Morgan
The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: draft-ietf-httpbis-http2-encryption@ietf.org, alexey.melnikov@isode.com, ietf-http-wg@w3.org, httpbis-chairs@ietf.org, michael.bishop@microsoft.com
Reply-To: ietf@ietf.org …
The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: draft-ietf-httpbis-http2-encryption@ietf.org, alexey.melnikov@isode.com, ietf-http-wg@w3.org, httpbis-chairs@ietf.org, michael.bishop@microsoft.com
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Opportunistic Security for HTTP) to Experimental RFC


The IESG has received a request from the Hypertext Transfer Protocol WG
(httpbis) to consider the following document:
- 'Opportunistic Security for HTTP'
  as Experimental RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-03-06. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document describes how "http" URIs can be accessed using
  Transport Layer Security (TLS) to mitigate pervasive monitoring
  attacks.

Note to Readers

  Discussion of this draft takes place on the HTTP working group
  mailing list (ietf-http-wg@w3.org), which is archived at
  https://lists.w3.org/Archives/Public/ietf-http-wg/ .

  Working Group information can be found at http://httpwg.github.io/ ;
  source code and issues list for this draft can be found at
  https://github.com/httpwg/http-extensions/labels/opp-sec .




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2-encryption/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2-encryption/ballot/


No IPR declarations have been submitted directly on this I-D.




2017-02-20
10 Cindy Morgan IESG state changed to In Last Call from Last Call Requested
2017-02-20
10 Cindy Morgan Last call announcement was generated
2017-02-19
10 Alexey Melnikov Last call was requested
2017-02-19
10 Alexey Melnikov Last call announcement was generated
2017-02-19
10 Alexey Melnikov Ballot approval text was generated
2017-02-19
10 Alexey Melnikov Ballot writeup was generated
2017-02-19
10 Alexey Melnikov IESG state changed to Last Call Requested from AD Evaluation
2017-02-19
10 Alexey Melnikov IESG state changed to AD Evaluation from Publication Requested
2017-02-19
10 Alexey Melnikov Changed consensus to Yes from Unknown
2017-02-15
10 Cindy Morgan Notification list changed to michael.bishop@microsoft.com
2017-02-15
10 Mark Nottingham
# Shepherd Writeup for HTTP Opportunistic Security

## 1. Summary

Mike Bishop is the document shepherd; Alexey Melnikov is the responsible Area
Director.

This document …
# Shepherd Writeup for HTTP Opportunistic Security

## 1. Summary

Mike Bishop is the document shepherd; Alexey Melnikov is the responsible Area
Director.

This document presents an experimental way to use
[Alt-Svc](https://tools.ietf.org/html/rfc7838) to achieve opportunistic
encryption connections to http:// schemed resources. While this does not offer
the true security guarantees of the https:// scheme, it does improve resistance
to passive surveillance by requiring some minimal level of active attack to
defeat.

## 2. Review and Consensus

The document has been closely reviewed and discussed by a small number of vocal
participants, with a larger number of other participants adding occasional
feedback. The community is generally divided about the utility of providing a
tool which is so easily defeated by an active attacker, but there have been very
few who believe this experiment would be detrimental. The primary concern voiced
by dissenters has been that widespread deployment might provide a false sense of
security, slowing the adoption of "real" HTTPS or confusing users. The
restriction in section 4.1 was added to help mitigate this concern.

RFC 7838 requires "reasonable assurances" that the alternative was under the
control of the same authority as the origin. RFC 7838 defines only one means of
having such assurance: possession of a TLS certificate for the origin. After
much discussion, this draft maintains that definition and requires the use of
fully verified certificates.

The other item of particular concern around using RFC7838 with http:// URIs was
server support for receiving requests for http:// schemed resources on ports
configured to use TLS. While HTTP/1.1 might permit and HTTP/2 mandates the
inclusion of the URL scheme with the request, it appears that almost no server
implementations treat the included scheme as more authoritative than the port on
which it was received. This is noted in section 4.4. As a result, the final
version of this document prohibits the use of HTTP/1.1 and uses the .well-known
resource as a server's self-certification that it can correctly distinguish such
requests.

A primary learning from experimentation with this draft will be to what degree
this server behavior presents a deployment issue in the real world, and the
degree to which servers will incorrectly claim this capability.

There is a client implementation in Mozilla Firefox, though other browsers have
expressed limited interest at this time. No explicit implementation of this
draft is required in server software (the necessary resources and headers can be
administratively configured).


## 3. Intellectual Property

Each author has stated that their direct, personal knowledge of any IPR related
to this document has already been disclosed, in conformance with BCPs 78 and 79.
No IPR disclosures have been submitted regarding this document.

## 4. Other Points

There are no downward references. The IANA Considerations are clear, and the
Expert Reviewer for the affected registry is an author of this draft.
2017-02-15
10 Mark Nottingham IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up
2017-02-15
10 Mark Nottingham IESG state changed to Publication Requested from AD is watching
2017-02-15
10 Mark Nottingham Tag Revised I-D Needed - Issue raised by WGLC cleared.
2017-02-15
10 Mark Nottingham IETF WG state changed to WG Consensus: Waiting for Write-Up from Waiting for WG Chair Go-Ahead
2017-02-15
10 Mike Bishop
# Shepherd Writeup for HTTP Opportunistic Security

## 1. Summary

Mike Bishop is the document shepherd; Alexey Melnikov is the responsible Area
Director.

This document …
# Shepherd Writeup for HTTP Opportunistic Security

## 1. Summary

Mike Bishop is the document shepherd; Alexey Melnikov is the responsible Area
Director.

This document presents an experimental way to use
[Alt-Svc](https://tools.ietf.org/html/rfc7838) to achieve opportunistic
encryption connections to http:// schemed resources. While this does not offer
the true security guarantees of the https:// scheme, it does improve resistance
to passive surveillance by requiring some minimal level of active attack to
defeat.

## 2. Review and Consensus

The document has been closely reviewed and discussed by a small number of vocal
participants, with a larger number of other participants adding occasional
feedback. The community is generally divided about the utility of providing a
tool which is so easily defeated by an active attacker, but there have been very
few who believe this experiment would be detrimental. The primary concern voiced
by dissenters has been that widespread deployment might provide a false sense of
security, slowing the adoption of "real" HTTPS or confusing users. The
restriction in section 4.1 was added to help mitigate this concern.

RFC 7838 requires "reasonable assurances" that the alternative was under the
control of the same authority as the origin. RFC 7838 defines only one means of
having such assurance: possession of a TLS certificate for the origin. After
much discussion, this draft maintains that definition and requires the use of
fully verified certificates.

The other item of particular concern around using RFC7838 with http:// URIs was
server support for receiving requests for http:// schemed resources on ports
configured to use TLS. While HTTP/1.1 might permit and HTTP/2 mandates the
inclusion of the URL scheme with the request, it appears that almost no server
implementations treat the included scheme as more authoritative than the port on
which it was received. This is noted in section 4.4. As a result, the final
version of this document prohibits the use of HTTP/1.1 and uses the .well-known
resource as a server's self-certification that it can correctly distinguish such
requests.

A primary learning from experimentation with this draft will be to what degree
this server behavior presents a deployment issue in the real world, and the
degree to which servers will incorrectly claim this capability.

There is a client implementation in Mozilla Firefox, though other browsers have
expressed limited interest at this time. No explicit implementation of this
draft is required in server software (the necessary resources and headers can be
administratively configured).


## 3. Intellectual Property

Each author has stated that their direct, personal knowledge of any IPR related
to this document has already been disclosed, in conformance with BCPs 78 and 79.
No IPR disclosures have been submitted regarding this document.

## 4. Other Points

There are no downward references. The IANA Considerations are clear, and the
Expert Reviewer for the affected registry is an author of this draft.
2017-01-31
10 Martin Thomson New version available: draft-ietf-httpbis-http2-encryption-10.txt
2017-01-31
10 (System) New version approved
2017-01-31
10 (System) Request for posting confirmation emailed to previous authors: "Mark Nottingham" , "Martin Thomson"
2017-01-31
10 Martin Thomson Uploaded new revision
2016-12-21
09 Martin Thomson New version available: draft-ietf-httpbis-http2-encryption-09.txt
2016-12-21
09 (System) New version approved
2016-12-21
09 (System) Request for posting confirmation emailed to previous authors: "Mark Nottingham" , "Martin Thomson"
2016-12-21
09 Martin Thomson Uploaded new revision
2016-11-13
08 Patrick McManus Added to session: IETF-97: httpbis  Tue-1330
2016-10-31
08 Martin Thomson New version available: draft-ietf-httpbis-http2-encryption-08.txt
2016-10-31
08 (System) New version approved
2016-10-31
08 (System) Request for posting confirmation emailed to previous authors: "Mark Nottingham" , "Martin Thomson"
2016-10-31
08 Martin Thomson Uploaded new revision
2016-10-03
07 Mark Nottingham New version available: draft-ietf-httpbis-http2-encryption-07.txt
2016-10-03
07 (System) New version approved
2016-10-03
07 (System) Request for posting confirmation emailed to previous authors: "Mark Nottingham" , "Martin Thomson"
2016-10-03
07 Mark Nottingham Uploaded new revision
2016-07-18
06 Alexey Melnikov IESG process started in state AD is watching
2016-07-18
06 (System) Earlier history may be found in the Comment Log for /doc/draft-nottingham-http2-encryption/
2016-07-11
06 Mark Nottingham Tag Revised I-D Needed - Issue raised by WGLC set.
2016-07-11
06 Mark Nottingham IETF WG state changed to Waiting for WG Chair Go-Ahead from In WG Last Call
2016-07-11
06 Mark Nottingham Changed document writeup
2016-06-20
06 Mark Nottingham New version available: draft-ietf-httpbis-http2-encryption-06.txt
2016-05-30
05 Mark Nottingham New version available: draft-ietf-httpbis-http2-encryption-05.txt
2016-03-16
04 Mark Nottingham IETF WG state changed to In WG Last Call from WG Document
2016-03-16
04 Mark Nottingham New version available: draft-ietf-httpbis-http2-encryption-04.txt
2015-12-20
03 Mark Nottingham Notification list changed to "Mike Bishop" <michael.bishop@microsoft.com>
2015-12-20
03 Mark Nottingham Document shepherd changed to Mike Bishop
2015-12-17
03 Martin Thomson New version available: draft-ietf-httpbis-http2-encryption-03.txt
2015-12-06
02 Mark Nottingham Document shepherd changed to (None)
2015-10-14
02 (System) Notify list changed from "Mark Nottingham"  to (None)
2015-06-15
02 Martin Thomson New version available: draft-ietf-httpbis-http2-encryption-02.txt
2015-02-10
01 Mark Nottingham Intended Status changed to Experimental from Proposed Standard
2015-02-10
01 Mark Nottingham Notification list changed to "Mark Nottingham" <mnot@mnot.net>
2015-02-10
01 Mark Nottingham Document shepherd changed to Mark Nottingham
2015-02-10
01 Mark Nottingham Intended Status changed to Proposed Standard from None
2014-12-15
01 Martin Thomson New version available: draft-ietf-httpbis-http2-encryption-01.txt
2014-07-01
00 Mark Nottingham This document now replaces draft-nottingham-http2-encryption instead of None
2014-06-14
00 Martin Thomson New version available: draft-ietf-httpbis-http2-encryption-00.txt