[{"author": "Henry Story", "text": "

the room is pretty empty or is the camera pointing the wrong direction?

", "time": "2022-11-07T15:32:30Z"}, {"author": "Julian Reschke", "text": "


", "time": "2022-11-07T15:43:23Z"}, {"author": "Julian Reschke", "text": "


", "time": "2022-11-07T15:44:02Z"}, {"author": "David Schinazi", "text": "

I don't get the cow moon joke

", "time": "2022-11-07T15:44:18Z"}, {"author": "Julian Reschke", "text": "

test 2

", "time": "2022-11-07T15:44:32Z"}, {"author": "Daniel Gillmor", "text": "

chat works from here

", "time": "2022-11-07T15:44:42Z"}, {"author": "Alan Frindell", "text": "

I can see your msgs Julian

", "time": "2022-11-07T15:44:42Z"}, {"author": "Henry Story", "text": "

One can get to Zulip directly too.

", "time": "2022-11-07T15:44:43Z"}, {"author": "David Schinazi", "text": "

I see your test and test 2

", "time": "2022-11-07T15:44:46Z"}, {"author": "Jonathan Lennox", "text": "


", "time": "2022-11-07T15:44:54Z"}, {"author": "Henry Story", "text": "

I was writing in the zulip client. Hi

", "time": "2022-11-07T15:45:01Z"}, {"author": "Henry Story", "text": "

Ah one has to zoom in to see the folks there

", "time": "2022-11-07T15:45:09Z"}, {"author": "Henry Story", "text": "

Oh, never heard of them.

", "time": "2022-11-07T15:45:10Z"}, {"author": "Henry Story", "text": "

what are trailers?

", "time": "2022-11-07T15:45:13Z"}, {"author": "Martin Thomson", "text": "

the cow thing is a joke about spherical cows in a vacuum

", "time": "2022-11-07T15:45:14Z"}, {"author": "Martin Thomson", "text": "

the old joke, that is

", "time": "2022-11-07T15:45:22Z"}, {"author": "Henry Story", "text": "

(oh that is what those red marks on the side were about!)

", "time": "2022-11-07T15:45:26Z"}, {"author": "David Schinazi", "text": "

Ah right. Thanks MT

", "time": "2022-11-07T15:45:26Z"}, {"author": "Julian Reschke", "text": "

I had questions for Justin: 1) what to do with the percent-decoding issue (path & query), and 2) the issue of combined field value recombination

", "time": "2022-11-07T15:45:47Z"}, {"author": "David Schinazi", "text": "

I remember that one as spherical chickens in a vacuum but I won't bikeshed

", "time": "2022-11-07T15:46:08Z"}, {"author": "Darrel Miller", "text": "

@David Schinazi It has to do with the solution working assuming the cow is a perfect sphere.

", "time": "2022-11-07T15:46:15Z"}, {"author": "Martin Thomson", "text": "

Mike saying \"slide\" reminds me of a Homestarrunner short.

", "time": "2022-11-07T15:46:32Z"}, {"author": "Martin Thomson", "text": "


", "time": "2022-11-07T15:47:21Z"}, {"author": "Justin Richer", "text": "

@Julian Reschke I think the text on query is clear: The value is normalized according to the rules in [HTTP], Section 4.2.3. Namely, percent-encoded octets are decoded.

", "time": "2022-11-07T15:47:57Z"}, {"author": "Justin Richer", "text": "

and path has this: Namely, an empty path string is normalized as a single slash / character, and path components are represented by their values after decoding any percent-encoded octets.

", "time": "2022-11-07T15:48:32Z"}, {"author": "Tommy Pauly", "text": "

@Martin good reference =)

", "time": "2022-11-07T15:48:42Z"}, {"author": "Julian Reschke", "text": "

@justin: the problem here is that you loose information if you decode percent-encoded resevred characters

", "time": "2022-11-07T15:49:24Z"}, {"author": "Justin Richer", "text": "

@Julian Reschke What's the issue of combined field values? Is this the thing about spaces in between values?

", "time": "2022-11-07T15:49:41Z"}, {"author": "Julian Reschke", "text": "

@justin: yep

", "time": "2022-11-07T15:49:55Z"}, {"author": "Justin Richer", "text": "

@Julian Reschke why would you lose information?

", "time": "2022-11-07T15:50:26Z"}, {"author": "Nick Doty", "text": "

every \"slides\" link in the agenda is broken

", "time": "2022-11-07T15:50:38Z"}, {"author": "Julian Reschke", "text": "

necause a \"/\" in a path has special meaning

", "time": "2022-11-07T15:50:44Z"}, {"author": "Nick Doty", "text": "

the minutes link in the agenda is incorrect

", "time": "2022-11-07T15:50:51Z"}, {"author": "Julian Reschke", "text": "

or a \"&\" in q query

", "time": "2022-11-07T15:50:53Z"}, {"author": "Nick Doty", "text": "

the chatroom link in the agenda is missing

", "time": "2022-11-07T15:51:00Z"}, {"author": "Daniel Gillmor", "text": "

stickiness from Alt-Svc is another cookie-equivalent too, from a privacy perspective.

", "time": "2022-11-07T15:51:00Z"}, {"author": "Tommy Pauly", "text": "

The minutes link is updated

", "time": "2022-11-07T15:51:13Z"}, {"author": "Julian Reschke", "text": "

buet let's take that to the mailing list then

", "time": "2022-11-07T15:51:19Z"}, {"author": "Justin Richer", "text": "

@Julian Reschke but you don't use the value from the signature base outside the signature.

", "time": "2022-11-07T15:51:23Z"}, {"author": "Julian Reschke", "text": "

@justin: there are semantically different values that will have the same signature

", "time": "2022-11-07T15:51:50Z"}, {"author": "Justin Richer", "text": "

@Julian Reschke from a security perspective I'd prefer to keep it without any decoding, ie \"just use it as it comes in\", but we were trying to apply whatever teh common transforms to this data would be. So if I call \"request.getQuery()\" what do I get out of it?

", "time": "2022-11-07T15:53:10Z"}, {"author": "Julian Reschke", "text": "

@justin: at least in Java you always have access to the raw request URI. Dunno about other platforms

", "time": "2022-11-07T15:54:15Z"}, {"author": "Justin Richer", "text": "

@Julian Reschke what is your suggested solution?

", "time": "2022-11-07T15:54:35Z"}, {"author": "Julian Reschke", "text": "

either require signing the raw parts, or document the issue and explain why the ambiguity is ok

", "time": "2022-11-07T15:55:38Z"}, {"author": "Justin Richer", "text": "

My preference is to sign the raw path and query, but I'd like to see what Annabelle and others think of this.


To the other issue: The combination/spaces issue needs to have some warning text, which we're planning to add.

", "time": "2022-11-07T15:57:00Z"}, {"author": "Julian Reschke", "text": "


", "time": "2022-11-07T15:57:51Z"}, {"author": "Henry Story", "text": "

I can try to find out what various scala libs return if you give us an full http message example. (not sure where you'd put that?)

", "time": "2022-11-07T15:57:58Z"}, {"author": "Henry Story", "text": "

I put up a zulip channel for http sig https://zulip.ietf.org/#narrow/stream/225-httpbis/topic/Signing.20HTTP.20Messages

", "time": "2022-11-07T15:59:49Z"}, {"author": "Nick Doty", "text": "

per dkg, it seems like there's a risk that sticky alt services will get used as cookies/etag replacement, which might discourage clients from using them

", "time": "2022-11-07T16:01:40Z"}, {"author": "Eric Orth", "text": "

Tommy Pauly: If you want my opinion on bespoke host resolution APIs. It comes up occassionally, but I'd really prefer to avoid using any host resolution APIs unless standardized between OSs.

", "time": "2022-11-07T16:02:12Z"}, {"author": "Eric Kinnear", "text": "

@David Schinazi I'd say it turned out to be as tricky as expected :D

", "time": "2022-11-07T16:02:18Z"}, {"author": "Valentin Go\u0219u", "text": "

just getaddrinfo in Firefox when not using DoH

", "time": "2022-11-07T16:02:18Z"}, {"author": "David Schinazi", "text": "

thx Valentin

", "time": "2022-11-07T16:02:54Z"}, {"author": "Eric Orth", "text": "

If we had a getaddrinfo2() that all the big OSs agreed on, Chrome could probably use that in more cases, but until then, bespoke APIs only come up for the usecases of \"if there's absolutely nothing else we can do and no more improvements we could make to our built-in resolver to do what we need to do\".

", "time": "2022-11-07T16:04:27Z"}, {"author": "Daniel Gillmor", "text": "

i think getaddrinfo2 would be a huge contribution to getting all the DNS hotness in a deployable state

", "time": "2022-11-07T16:05:43Z"}, {"author": "Jonathan Lennox", "text": "

There's unfortunately a big conflict between the application requirement for \"I need this DNS record\" vs. the OS requirement for \"I need to support these eighteen legacy hostname lookup methods.\"

", "time": "2022-11-07T16:05:52Z"}, {"author": "Daniel Gillmor", "text": "

the OS can retain those legacy hostname lookup records without blocking a getaddrinfo2

", "time": "2022-11-07T16:06:19Z"}, {"author": "Daniel Gillmor", "text": "

so i don't see the conflict

", "time": "2022-11-07T16:06:34Z"}, {"author": "Jonathan Lennox", "text": "

But should a getaddrinfo2 lookup use them? For just A/AAAA record requests, or for other things too?

", "time": "2022-11-07T16:06:42Z"}, {"author": "Justin Richer", "text": "

but the question is which one do you call

", "time": "2022-11-07T16:06:47Z"}, {"author": "Daniel Gillmor", "text": "

the application layer calls the one that gives it the data it needs

", "time": "2022-11-07T16:07:06Z"}, {"author": "Jonathan Lennox", "text": "

getaddrinfo vs. getaddrinfo2 giving different answers would be bad

", "time": "2022-11-07T16:07:12Z"}, {"author": "Martin Thomson", "text": "

Unicode also has flags in the same way

", "time": "2022-11-07T16:07:25Z"}, {"author": "Martin Thomson", "text": "

we made a bunch of bad choices in the past...

", "time": "2022-11-07T16:07:51Z"}, {"author": "Martin Thomson", "text": "

move the flags to the frame type

", "time": "2022-11-07T16:07:55Z"}, {"author": "Martin Thomson", "text": "

just the mandatory ones

", "time": "2022-11-07T16:08:07Z"}, {"author": "Jonathan Lennox", "text": "


", "time": "2022-11-07T16:08:10Z"}, {"author": "Justin Richer", "text": "

if we hadn't made bad choices in the past we wouldn't have the internet we know and love today :)

", "time": "2022-11-07T16:08:15Z"}, {"author": "Martin Thomson", "text": "


", "time": "2022-11-07T16:10:50Z"}, {"author": "David Schinazi", "text": "

I'd suggest adding a line to explain that the h3 version doesn't have flags for future us

", "time": "2022-11-07T16:13:38Z"}, {"author": "Bron Gondwana", "text": "


", "time": "2022-11-07T16:13:53Z"}, {"author": "Erik Nygren", "text": "

+1 to David

", "time": "2022-11-07T16:15:13Z"}, {"author": "Jonathan Lennox", "text": "

Go to SHMOO and figure out how to do humming in hybrid meetings...

", "time": "2022-11-07T16:19:32Z"}, {"author": "Nick Doty", "text": "

there seemed to be agreement on \"layering\" that it would be great to have a more coordinated set-up for what is in the cookie spec and what is elsewhere

", "time": "2022-11-07T16:19:53Z"}, {"author": "Nick Doty", "text": "

but I'm not clear on what the direction is, besides that someone oughta do it

", "time": "2022-11-07T16:20:05Z"}, {"author": "Martin Thomson", "text": "

the proposed direction is that we not hold the current document up for that work, but do that in the next revision

", "time": "2022-11-07T16:20:41Z"}, {"author": "Daniel Gillmor", "text": "

wait, the bit would be harmful because there is a use case for it being set?

", "time": "2022-11-07T16:31:22Z"}, {"author": "Randell Jesup", "text": "

+1 to Martin; glad to see this

", "time": "2022-11-07T16:36:55Z"}, {"author": "Daniel Gillmor", "text": "

agreed with the current speaker -- if the server can specify it, it implies that the server can decline it

", "time": "2022-11-07T16:37:17Z"}, {"author": "Daniel Gillmor", "text": "

why do they need this explicit signal to migrate?

", "time": "2022-11-07T16:38:15Z"}, {"author": "Nick Doty", "text": "

it should help migration by letting some sites try it out early with some of their cookies

", "time": "2022-11-07T16:40:49Z"}, {"author": "Daniel Gillmor", "text": "

can't those sites try it out already with browsers that already partition?

", "time": "2022-11-07T16:42:17Z"}, {"author": "Nick Doty", "text": "

\"this is fine, not great\" :)

", "time": "2022-11-07T16:42:27Z"}, {"author": "Daniel Gillmor", "text": "

or just a flag in the browser, that the developers who care can turn on?

", "time": "2022-11-07T16:42:38Z"}, {"author": "Daniel Gillmor", "text": "

(the developers who don't care won't set the flag on the cookies either)

", "time": "2022-11-07T16:43:14Z"}, {"author": "Benjamin Schwartz", "text": "

It seems like it would be helpful to have a way to audit your vast collection of microservices to figure out which ones are partitioning-ready

", "time": "2022-11-07T16:43:21Z"}, {"author": "Daniel Gillmor", "text": "

how does this help with an audit?

", "time": "2022-11-07T16:43:35Z"}, {"author": "Benjamin Schwartz", "text": "

You can measure compliance from your server logs.

", "time": "2022-11-07T16:44:10Z"}, {"author": "Henry Story", "text": "

I have been waiting for a while for the ability to pass client certs throught http...

", "time": "2022-11-07T16:45:16Z"}, {"author": "Daniel Gillmor", "text": "

so, aiui, the audit process is: site sets \"partitioned\" on every cookie it emits, then investigate server logs to see... what?

", "time": "2022-11-07T16:45:37Z"}, {"author": "Henry Story", "text": "

Can one also pass other types of Ceritficates in that header?

", "time": "2022-11-07T16:46:05Z"}, {"author": "Benjamin Schwartz", "text": "

@Daniel Gillmor The process is: you call all your vendors or eng teams and tell them that you want their stuff partitioning-ready by EOY 2023, and to set the Partition flag on their cookies when they are ready. Then you make a graph of what fraction of cookies have the flag, and if the line isn't going up and to the right, you see who's late and go yell at them.

", "time": "2022-11-07T16:47:04Z"}, {"author": "Daniel Gillmor", "text": "

so this is a flag for communicating between vendors and project managers by way of server logs

", "time": "2022-11-07T16:48:12Z"}, {"author": "Martin Thomson", "text": "

So Justin, are you saying that we can fix problems with one terrifying spec by applying another terrifying spec?

", "time": "2022-11-07T16:49:15Z"}, {"author": "Nick Doty", "text": "

I think the process is, we're pretty sure this service will work with partitioned cookies, we can test it out with all our users by adding a new cookie with the Partitioned attribute, and if we see breakage or we needed to rely on the unpartitioned cookie, we can log the error

", "time": "2022-11-07T16:49:22Z"}, {"author": "Benjamin Schwartz", "text": "

@Daniel Gillmor it's from __future__ import partitioning. Not so different from the work to prepare for the deprecation of Python 2 actually.

", "time": "2022-11-07T16:50:05Z"}, {"author": "Daniel Gillmor", "text": "

analogies with the python2 \u2192 python3 transition are \u2026 not confidence inspiring

", "time": "2022-11-07T16:51:14Z"}, {"author": "Benjamin Schwartz", "text": "

It's not my job, so I can afford to be a realist.

", "time": "2022-11-07T16:51:40Z"}, {"author": "Steven Bingler", "text": "

This is an issue because nowadays servers are no longer one entity, and one part may set and another part might not be able to understand them.


Kudos to the note taker for phrasing my point much better than I did

", "time": "2022-11-07T16:52:01Z"}, {"author": "James Gruessing", "text": "

Masque enthusiast... not wearing a mask.

", "time": "2022-11-07T16:52:10Z"}, {"author": "Henry Story", "text": "

masks are not mandatory for speakers. I prefer if speakers don't wear masks acutally, as it is easier to hear them.

", "time": "2022-11-07T16:52:57Z"}, {"author": "James Gruessing", "text": "

'twas meant with slight tongue and cheek Henry.

", "time": "2022-11-07T16:53:25Z"}, {"author": "Eric Kinnear", "text": "

Masque is Wednesday Session I, btw

", "time": "2022-11-07T16:58:16Z"}, {"author": "Henry Story", "text": "

I wonder if there is any thinking on p2p http

", "time": "2022-11-07T17:04:25Z"}, {"author": "Henry Story", "text": "

ie. client and server switching roles.

", "time": "2022-11-07T17:04:59Z"}, {"author": "Alex Chernyakhovsky", "text": "

What do you mean by that? I think in webtrans it's possible for some server-initiated stuff?

", "time": "2022-11-07T17:05:51Z"}, {"author": "Henry Story", "text": "

I wrote up a lot of links and reasons for why this could be interesting here: https://github.com/w3c/architecture/issues/14

", "time": "2022-11-07T17:06:31Z"}, {"author": "Benjamin Schwartz", "text": "

\"Probing resistance\" is the term I use for this.

", "time": "2022-11-07T17:08:16Z"}, {"author": "Alex Chernyakhovsky", "text": "

I really don't understand what that's trying to say. Is the goal to just allow a client-initiated connection but allow the \"server\" (i.e., the thing that called accept(2) on the socket) to issue the _client_ HTTP methods...?

", "time": "2022-11-07T17:08:27Z"}, {"author": "Alex Chernyakhovsky", "text": "

If so ... sure? We can do a LISTEN (per the draft David mentioned) over the initial connection to open up the client to the server fairly easily

", "time": "2022-11-07T17:09:21Z"}, {"author": "Henry Story", "text": "

yes, so that the server could then do a GET /key1 HTTP/2 to the client after a HTTP Sig request

", "time": "2022-11-07T17:09:51Z"}, {"author": "Henry Story", "text": "

That would allow clients to publish keys in a non-global environment.

", "time": "2022-11-07T17:12:34Z"}, {"author": "Henry Story", "text": "

Essentially that is what HTTPS does when the server asks the client for a cert.

", "time": "2022-11-07T17:12:52Z"}, {"author": "Martin Thomson", "text": "

That is a really long field name.

", "time": "2022-11-07T17:13:52Z"}, {"author": "Martin Thomson", "text": "

Maybe for this, that's not a big deal.

", "time": "2022-11-07T17:13:58Z"}, {"author": "Alex Chernyakhovsky", "text": "

How about shortening it to \"unauth\" :)

", "time": "2022-11-07T17:14:21Z"}, {"author": "Nick Doty", "text": "

a shibboleth

", "time": "2022-11-07T17:19:14Z"}, {"author": "Martin Thomson", "text": "

traversing intermediaries is an anti-feature

", "time": "2022-11-07T17:20:30Z"}, {"author": "Martin Thomson", "text": "

for something like this, that is

", "time": "2022-11-07T17:20:46Z"}, {"author": "David Oliver", "text": "

@ben bridge distribution is only one use case

", "time": "2022-11-07T17:21:13Z"}, {"author": "Martin Thomson", "text": "

Dammit Kyle beat me to it

", "time": "2022-11-07T17:22:09Z"}, {"author": "Benjamin Schwartz", "text": "

@David Oliver Sure, can you please describe a use case where the client cannot easily learn a per-origin secret in advance?

", "time": "2022-11-07T17:22:57Z"}, {"author": "Benjamin Schwartz", "text": "

@Martin Thomson No, running confidential services through a CDN is extremely valuable.

", "time": "2022-11-07T17:23:26Z"}, {"author": "Nick Doty", "text": "

+1 for working on this use case

", "time": "2022-11-07T17:23:52Z"}, {"author": "David Oliver", "text": "


", "time": "2022-11-07T17:24:11Z"}, {"author": "Benjamin Schwartz", "text": "


", "time": "2022-11-07T17:24:19Z"}, {"author": "Eric Orth", "text": "


", "time": "2022-11-07T17:24:25Z"}, {"author": "David Oliver", "text": "

@ben will ping you later

", "time": "2022-11-07T17:25:09Z"}, {"author": "Benjamin Schwartz", "text": "


", "time": "2022-11-07T17:25:22Z"}, {"author": "Francesca Palombini", "text": "

thank you!

", "time": "2022-11-07T17:25:42Z"}, {"author": "Jacob Hatch", "text": "

Thank you.

", "time": "2022-11-07T17:25:52Z"}, {"author": "Roberto Polli", "text": "


", "time": "2022-11-07T17:25:54Z"}, {"author": "Tommy Pauly", "text": "

Thank you all!

", "time": "2022-11-07T17:25:59Z"}, {"author": "Roberto Polli", "text": "

Thanks everyone!

", "time": "2022-11-07T17:26:02Z"}, {"author": "Henry Story", "text": "

Thanks. I am hanging around in Zulip here...

", "time": "2022-11-07T17:26:24Z"}, {"author": "Henry Story", "text": "

I hope to have HttpSig implementation of the latest spec finished by Friday morning.

", "time": "2022-11-07T17:26:50Z"}]