httpbis - Friday, March 15, 2013

httpbis

httpbis@jabber.ietf.org

Friday, March 15, 2013< ^ >

stpeter has set the subject to: IETF HTTPbis Working Group | http://tools.ietf.org/wg/httpbis/agenda?item=agenda-85-httpbis.html

Room Configuration

Room Occupants

GMT+0
[01:00:51] yuioku.yj joins the room
[01:01:16] yuioku.yj leaves the room
[12:01:01] Bjoern joins the room
[12:04:06] <Bjoern> I'd set the topic to http://tools.ietf.org/wg/httpbis/agenda?item=agenda-86-httpbis.html but either access controls or my client won't let me...
[12:33:13] Julian joins the room
[12:37:12] Bjoern leaves the room
[12:38:16] Bjoern joins the room
[12:51:45] ghcooper joins the room
[12:54:31] tfossati joins the room
[12:55:18] barryleiba joins the room
[12:55:42] <barryleiba> A ticket has been submitted about the audio stream.  Please tell us if/when you can hear us.
[12:56:06] Bjoern leaves the room: Replaced by new connection
[12:56:14] <Julian> seems the m3u 404s.
[12:57:04] <Julian> http://nagasaki.bogus.com:8000/stream07 ?
[12:58:02] Bjoern joins the room
[12:59:15] Bjoern leaves the room
[12:59:39] Bjoern joins the room
[13:00:52] Kazuki Shimizu joins the room
[13:01:12] stpeter joins the room
[13:01:24] kmurchison joins the room
[13:01:45] Bjoern leaves the room
[13:01:47] <Julian> now it works
[13:02:13] Bjoern joins the room
[13:02:20] Julian it would be awesome of the audio streams worked *before* the meeting starts
[13:02:24] stpeter has set the subject to: IETF HTTPbis Working Group | https://datatracker.ietf.org/meeting/86/agenda/httpbis/
[13:02:27] <stpeter> :)
[13:02:36] <Julian> I do
[13:02:36] <Bjoern> I take it that is known problem then...
[13:02:49] <tfossati> i hear you barry
[13:02:50] cyrus joins the room
[13:02:55] <barryleiba> T'anks.
[13:03:30] bkihara.l joins the room
[13:03:36] yuioku.yj joins the room
[13:03:45] <Julian> silly it is
[13:03:46] <Julian> very
[13:03:52] <Julian> yes, we hear you, Mark
[13:03:59] Ning Kong joins the room
[13:04:51] <Julian> https://tools.ietf.org/wg/httpbis/agenda
[13:05:30] hillbrad joins the room
[13:05:33] synp joins the room
[13:05:47] tony.l.hansen joins the room
[13:05:52] Gabriel Montenegro joins the room
[13:06:00] asergeyev joins the room
[13:06:02] <barryleiba> If you want a comment read on the mic, please prefix it with "mic"
[13:06:17] Julian smiles
[13:07:10] Andrew Sullivan joins the room
[13:07:11] <Julian> https://tools.ietf.org/agenda/86/slides/slides-86-httpbis-1.pdf
[13:07:13] <stpeter> HTTPBIS -- v22 changes
[13:08:01] <stpeter> 4: Changes - P1
[13:08:06] <stpeter> 5: cont'd
[13:08:15] hillbrad leaves the room
[13:08:27] <stpeter> Ticket 415
[13:08:59] <stpeter> 6: Changes - P2
[13:09:14] <stpeter> 7: cont'd
[13:09:21] <stpeter> 8
[13:09:28] <stpeter> (P3 / P4)
[13:09:32] <stpeter> 9
[13:09:42] <stpeter> 10
[13:10:08] <stpeter> end of HTTP/1.0 slides
[13:10:22] <Julian> HTTP/1.1, actually
[13:10:25] <stpeter> no more
[13:10:26] <stpeter> heh
[13:10:27] <stpeter> yes
[13:10:29] sftcd joins the room
[13:10:31] <stpeter> no more tickets
[13:10:38] <stpeter> one more WGLC on the document set
[13:10:46] <stpeter> i.e., on the set as a whole
[13:10:51] Eliot Lear joins the room
[13:11:04] <Bjoern> Julian, what does the stream url redirect to for you? I still get a 404...
[13:11:17] <stpeter> LC will be fairly long
[13:11:36] <stpeter> probably 4-6 weeks
[13:11:41] <Julian> Bjoern, http://nagasaki.bogus.com:8000/stream07 it seems
[13:12:41] =JeffH joins the room
[13:12:43] <Bjoern> That works, thanks. (Used to redirect to that for me aswell, heisenbugs perhaps...)
[13:12:58] <stpeter> Philippe Le Hegaret at the mic
[13:13:02] <stpeter> (henceforth known as PLH)
[13:13:37] <=JeffH> so, declaring Last Last Call on the Ides of March....     8^)
[13:13:50] hillbrad joins the room
[13:13:51] <stpeter> =JeffH: and ending on May Day ;-)
[13:14:00] <=JeffH> ja, indeed
[13:14:29] <stpeter> discussion about possibility of profiling etc.
[13:14:48] <stpeter> Mark and Philippe to liaise on the topic
[13:15:39] hardie@jabber.psg.com joins the room
[13:15:48] <stpeter> end of HTTP/1.1 discussion
[13:15:55] <stpeter> start of HTTP/2.0 discussion
[13:16:01] <stpeter> interim WG meeting summary
[13:17:29] <Julian> https://github.com/http2/tmp_minutes/blob/master/interim.md
[13:20:21] resnick joins the room
[13:20:21] <stpeter> goal was first implementation draft on the scale of a few months
[13:20:31] <stpeter> https://github.com/http2
[13:20:40] <stpeter> spec at https://github.com/http2/http2-spec
[13:21:21] <stpeter> edit there or fork and then send pull request
[13:21:23] <Julian> mic: how does that work wrt the Note Well?
[13:22:21] Dan Wing joins the room
[13:23:19] <stpeter> Barry Leiba (AD) at the mic
[13:23:32] <stpeter> would prefer that we discuss substantive topics on the list
[13:24:09] PasiS joins the room
[13:24:38] <stpeter> Mark: happy to not have too much noise on the mailing list, but will police the discussions so that substantive topics are on the list
[13:25:08] <stpeter> there is a pointer to the GitHub repository at http://trac.tools.ietf.org/wg/httpbis/trac/wiki
[13:25:41] <stpeter> James Snell has done an implementation in Java
[13:25:49] <stpeter> Mark intends to make one in Python
[13:26:07] <stpeter> end of work plan
[13:26:10] <stpeter> next steps....
[13:26:16] <stpeter> implementation draft soonish
[13:26:33] <stpeter> marked ready for implementations in the next 4-6 weeks
[13:26:47] <stpeter> Mark: would like to maintain the tempo and momentum
[13:27:11] <stpeter> interim meeting was helpful
[13:27:31] <stpeter> set expectations about more interim meetings
[13:27:41] <stpeter> Cyrus Daboo: any talk of interop testing?
[13:27:58] <stpeter> Mark: would like to see not only interop but also test suites
[13:28:45] <stpeter> Mark: current idea for interims and other meetings: meet in Berlin at IETF 87, interim in SF Bay area in mid-June close in time to the Velocity conference
[13:29:17] <stpeter> interim right after Berlin right after IETF 87 (a few days)
[13:30:21] <stpeter> IETF meeting in November, perhaps same model as Berlin
[13:30:44] <stpeter> brb
[13:31:00] <Julian> https://tools.ietf.org/agenda/86/slides/slides-86-httpbis-0.pdf
[13:32:14] <resnick> Stream identifiers
[13:34:26] Jacky Yao11 (Health Yao) joins the room
[13:34:33] Tim Wicinski joins the room
[13:34:43] <stpeter> Hasan at the mic
[13:34:51] <stpeter> is that Hasan Farooq?
[13:35:17] <stpeter> Roberto Peon: neutral on this
[13:36:11] <stpeter> Hasan at the mic
[13:36:41] <stpeter> Roberto: we could get rid of the "is a control bit" frame
[13:36:53] sm joins the room
[13:36:57] <stpeter> Hasan (not at mic): that's gone
[13:37:42] <stpeter> Roberto: in SPDY4 draft that we used, this is essentially how common framing header is defined
[13:38:38] <stpeter> Hasan: I'm suggesting non-change to wire format, just an editorial change
[13:39:09] <stpeter> next topic: error codes
[13:39:26] <stpeter> proposal to combine the two error spaces
[13:40:00] <stpeter> Eliot Lear at the mic
[13:40:22] <stpeter> next topic: IANA Policies
[13:40:41] stpeter notes that there are no slide numbers in this presentation ... bad presenter!
[13:41:00] hillbrad leaves the room
[13:42:06] <stpeter> Eliot at the mic
[13:42:28] <stpeter> Martin: distinction between control and data went away
[13:42:52] hardie@jabber.psg.com leaves the room
[13:43:09] <stpeter> next topic: framing layer common flags
[13:44:50] <stpeter> Will Chan at the mic
[13:46:14] <stpeter> next topic: connection-based authentication (#49)
[13:46:27] <stpeter> proposal to remove and leave as open issue
[13:46:38] <Julian> +1 for removal
[13:47:16] <stpeter> next topic: ':version'
[13:47:28] <stpeter> to be removed
[13:48:29] <stpeter> next topic: 100-continue (#18)
[13:49:24] <stpeter> Mark has action item to propose text for #18
[13:50:21] <stpeter> topic: Multiple RST_STREAM
[13:50:25] <stpeter> Roberto at mic
[13:50:47] <stpeter> RP: how do you handle bad clients?
[13:51:00] <stpeter> RP: in the real world there is a cost to this approach
[13:51:10] <stpeter> Will Chan at the mic
[13:51:23] <stpeter> WC: simpler to allow multiple resets
[13:51:31] <stpeter> Eliot Lear at the mic
[13:51:55] <stpeter> EL: if you have to send 2, what makes you think you won't need 3 or 4 or 5?
[13:51:58] hardie@jabber.psg.com joins the room
[13:52:04] <stpeter> MN: up to the implementer
[13:53:38] <stpeter> next topic: SETTINGS_CURRENT_CWND
[13:53:52] <stpeter> proposal to remove it
[13:54:26] <stpeter> RP: I think it's a bit early to kill it, we don't have much experimental evidence yet
[13:55:04] <stpeter> Hasan: defer until we have evidence?
[13:55:51] <stpeter> was that Janardhan Lyengar at the mic?
[13:56:13] <resnick> It was.
[13:56:17] <stpeter> next topic: Data Compression (#46)
[13:56:20] <stpeter> resnick: thanks
[13:57:07] <stpeter> Hasan: we toyed around with this bit, but it was terrible to force compression
[13:58:09] <stpeter> Eliot: concerns about header compression
[13:58:21] <stpeter> Mark: this is about data compression, not header compression
[14:00:02] <stpeter> Adam Langley at the mic
[14:00:13] <stpeter> (talking about TLS WG / NPN / etc.)
[14:00:52] <stpeter> if ALPN is adopted in TLS WG then Google will deprecate NPN
[14:01:05] Martin Thomson joins the room
[14:01:18] <stpeter> ALPN = https://datatracker.ietf.org/doc/draft-friedl-tls-applayerprotoneg/
[14:01:23] <stpeter> Eliot Lear at the mic
[14:02:16] <stpeter> EL: Cisco has opened a request for proposals for academic research into HTTP/2.0, he will send something to the list
[14:02:31] <Eliot Lear> http://www.cisco.com/web/about/ac50/ac207/crc_new/university/RFP/rfp13077.html
[14:02:38] Dan Wing leaves the room
[14:03:23] <stpeter> next section: discussion of open issues
[14:03:57] <stpeter> first item, Header Compression
[14:04:37] <Julian> are there slides for this topic?
[14:04:47] Dan Wing joins the room
[14:04:50] <resnick> Not that we know of.
[14:04:51] <stpeter> based on discussion, primary interest in delta compression
[14:04:55] <stpeter> Julian: no
[14:05:28] <stpeter> delta and headerdiff the main delta-based approaches
[14:06:06] <barryleiba> FUGZ
[14:06:07] <stpeter> Mark shows some tests at the command line
[14:07:01] <stpeter> and pretty graphs
[14:08:08] <stpeter> factors in the decision: efficiency, implementability, etc.
[14:09:27] <stpeter> Roberto on the dais
[14:09:40] <stpeter> talking about delta2 algo
[14:09:45] <stpeter> no slides
[14:10:31] <stpeter> https://datatracker.ietf.org/doc/draft-rpeon-httpbis-header-compression/ is the document
[14:12:36] <stpeter> question from Mark
[14:13:29] <stpeter> Adam Langley at the mic
[14:14:06] <stpeter> Phil Hallam-Baker at the mic
[14:14:52] <stpeter> PHB: the problem is that cookies are evil
[14:15:25] <stpeter> Robby Simpson at the mic
[14:15:36] <stpeter> RS: using HTTP/1.1 in embedded space
[14:15:58] <stpeter> RS: even gzip uses a lot of memory
[14:17:46] <tfossati> RS: CoAP ?
[14:17:50] <=JeffH> mic:  "cookies" in and of themselves aren't necessarily "evil" --  some of the manners in which they have been employed have been ill-advised
[14:18:07] <=JeffH> s/some/rather, some/
[14:18:10] <stpeter> Janardhan Lyengar at the mic
[14:18:19] <stpeter> =JeffH: got it
[14:18:22] <resnick> Iyengar.
[14:19:19] <=JeffH> note that "cookies" is a colloquial term for a particular http state management regime -- rfc6265 -- others with different properties could be invented
[14:20:09] Bjoern leaves the room
[14:20:33] <synp> @JeffH: yes, and since httpbis has punted on this (and have done some again right now) we're doing it at WebSec
[14:20:49] <bkihara.l> and httpauth.
[14:20:56] <=JeffH> k
[14:21:40] <stpeter> Adam Langley at the mic
[14:23:16] <resnick> Side question: What's the story with CRIME? If I compress in certain ways, my crypto is easier to crack?
[14:23:58] <stpeter> maybe https://en.wikipedia.org/wiki/CRIME_%28security_exploit%29 has pointers :-)
[14:24:33] <resnick> All answers are in wikipedia. We should just look there for which compression scheme to use; I'm sure there's an answer.
[14:24:55] <stpeter> ;-)
[14:25:14] <hardie@jabber.psg.com> @resnick  Give me a moment….
[14:25:27] <stpeter> Wikipedia answers all questions, but not always correctly
[14:25:31] <bkihara.l> My understanding: if attacker-controlled strings are inserted in the same compression context as sensitive data.
[14:25:38] <=JeffH> the family of issues there are in the domain of layering a protocol such as http over a protocol such as TLS, where an attacker can manipulate things in http context (known plaintext) and thus observe effects in the ciphertext, and adapt, and retry, and extract info over time
[14:25:53] cabo joins the room
[14:26:01] <stpeter> https://datatracker.ietf.org/doc/draft-ruellan-headerdiff/
[14:26:07] <stpeter> is the audio ok?
[14:26:11] <synp> @resnick: if something in the data that is attacker-controlled (like the resource name in URL) matches a longer prefix of something in the header (like a cookie) then the whole thing compresses better. So you add stuff to the attacker controlled data until you findone option where it compresses beter, which means you foud theext byte (or actualy bit) of cookie
[14:26:55] <cabo> stpeter: it is probably OK as long as he looks to the slides http://wiki.tools.ietf.org/group/wgchairs/wiki/MeetingAV#Audio
[14:27:07] <stpeter> cabo: right
[14:27:13] <stpeter> cabo: I could adjust his mic
[14:29:25] <stpeter> Roberto at the mic
[14:29:25] Andrew Sullivan leaves the room
[14:30:07] <bkihara.l> http body such as "<p>username: bkihara</p><p>query: [url query string]</p>" will be attackable if compressed.
[14:30:37] <stpeter> Adam Langley at the mic
[14:31:08] Andrew Sullivan joins the room
[14:35:46] yuioku.yj leaves the room
[14:37:29] PasiS leaves the room
[14:37:31] sftcd leaves the room
[14:38:29] <stpeter> the jabber relay wandered off for a few minutes, sorry
[14:40:21] Dan Wing leaves the room
[14:40:34] <ghcooper> Take a look at: http://www.akalin.cx/http-2-header-compression
[14:40:43] <ghcooper> (on screen now)
[14:40:46] <stpeter> http://www.akalin.cx/http-2-header-compression
[14:40:49] <stpeter> ah
[14:40:52] <stpeter> thanks ghcooper
[14:41:59] Andrew Sullivan leaves the room
[14:42:43] <stpeter> Janardhan Iyengar at the mic
[14:43:42] <stpeter> Herve at the mic, they will update their proposal
[14:43:51] <stpeter> (to avoid CRIME)
[14:44:31] sftcd joins the room
[14:44:37] <stpeter> Mark: we're only choosing the starting point (but no decision until people dig into these proposals)
[14:44:59] <stpeter> next topic: Upgrade / Negotiation
[14:45:17] <stpeter> 1. NPN / ALPN
[14:45:31] <stpeter> 2. HTTP URIs
[14:45:42] mcmanus joins the room
[14:45:42] <stpeter> 3. DNS hints
[14:45:47] <stpeter> 4. "magic"
[14:47:38] <resnick> I missed what Martin described as his change to the draft.
[14:47:48] <stpeter> resnick: me too
[14:47:58] <resnick> Anybody paying attention?
[14:47:59] <resnick> :)
[14:48:02] <stpeter> :P
[14:48:38] <Martin Thomson> See the draft...
[14:49:00] <Julian> around http://greenbytes.de/tech/webdav/draft-ietf-httpbis-http2-latest.html#starting
[14:49:13] <stpeter> I assume Eliot is talking about https://datatracker.ietf.org/doc/draft-lear-httpbis-svcinfo-rr/
[14:49:13] <Martin Thomson> http://http2.github.com/http2-spec/#SessionHeader
[14:49:14] <resnick> Minute: " Martin: (Describes what he added to draft)"
[14:49:33] <Martin Thomson> The client session header is the 25 byte sequence 0x464f4f202a20485454502f322e300d0a0d0a4241520d0a0d0a (the string FOO * HTTP/2.0\r\n\r\nBAR\r\n\r\n) followed by a SETTINGS frame
[14:50:04] <resnick> (I'm not really all that worried about it. Just wanted to note if people might care.)
[14:50:34] Tim Wicinski leaves the room
[14:52:18] <stpeter> Geoffrey Cooper at the mic
[14:53:04] <stpeter> Roberto: at worst it adds a round trip
[14:54:00] <resnick> Is the correct minute previously: " Mark: Is it safe to assume NPN & TLS? (Nodding heads yes)"
[14:54:04] <resnick> ?
[14:54:14] <stpeter> I think so
[14:54:24] =JeffH leaves the room: Logged out
[14:55:33] sm leaves the room
[14:56:13] <stpeter> Andrei Popov at the mic
[14:56:38] <stpeter> Gabriel Montenegro presenting (briefly)
[14:57:30] <Julian> http://trac.tools.ietf.org/agenda/86/slides/slides-86-httpbis-2.pdf
[14:58:09] <resnick> (The problem with minuting security stuff for me is that it kinda comes through like listening to Charley Brown's teacher. "Wa waa wa waaaa. Waaaa wa wa wa TLS.")
[14:58:19] <stpeter> ;-)
[14:59:58] synp leaves the room: Computer went to sleep
[15:01:37] <stpeter> sorry, folks, gotta run
[15:01:44] stpeter leaves the room: Disconnected: connection closed
[15:04:02] Eliot Lear leaves the room
[15:05:41] <Julian> audio gone?
[15:06:01] sftcd leaves the room
[15:06:11] <barryleiba> Meeting gone.
[15:06:12] cyrus leaves the room
[15:06:20] Kazuki Shimizu leaves the room
[15:06:21] <Julian> :-)
[15:06:24] Julian leaves the room
[15:06:52] mcmanus leaves the room
[15:07:15] Martin Thomson leaves the room
[15:07:52] cabo leaves the room
[15:08:46] resnick leaves the room
[15:08:51] kmurchison leaves the room
[15:09:32] hardie@jabber.psg.com leaves the room
[15:09:46] tfossati leaves the room
[15:12:20] ghcooper leaves the room
[15:12:23] tony.l.hansen leaves the room
[15:14:10] bkihara.l leaves the room
[15:14:33] Ning Kong leaves the room
[15:16:35] PasiS joins the room
[15:18:23] stpeter joins the room
[15:19:23] PasiS leaves the room
[15:20:57] Jacky Yao11 (Health Yao) leaves the room
[15:21:56] Gabriel Montenegro leaves the room
[15:23:08] kazubu joins the room
[15:23:23] kazubu leaves the room
[15:23:43] bkihara.l joins the room
[15:24:17] bkihara.l leaves the room
[15:26:54] barryleiba leaves the room
[15:31:59] sftcd joins the room
[15:32:15] sftcd leaves the room
[15:32:54] Dan Wing joins the room
[15:34:15] Dan Wing leaves the room
[15:37:27] Eliot Lear joins the room
[15:37:45] Eliot Lear leaves the room
[15:37:49] Eliot Lear joins the room
[15:41:10] cyrus joins the room
[15:42:35] cyrus leaves the room
[15:43:58] cabo joins the room
[15:51:07] skupin joins the room
[15:51:54] skupin leaves the room
[15:54:18] Eliot Lear leaves the room
[15:57:42] cabo leaves the room
[16:03:30] stpeter leaves the room: Disconnected: connection closed
[16:30:15] stpeter joins the room
[16:31:04] stpeter leaves the room
[16:45:13] Ning Kong joins the room
[16:49:53] Jacky Yao11 (Health Yao) joins the room
[16:50:57] Jacky Yao11 (Health Yao) leaves the room
[16:54:07] asergeyev leaves the room
[17:01:40] ghcooper joins the room
[17:01:47] ghcooper leaves the room
[17:10:10] Eliot Lear joins the room
[17:13:58] Eliot Lear leaves the room
[17:29:58] Ning Kong leaves the room
[17:30:43] Eliot Lear joins the room
[17:42:03] Eliot Lear leaves the room
[18:19:24] Eliot Lear joins the room
[19:03:57] Eliot Lear leaves the room
[20:56:17] Eliot Lear joins the room
[21:06:23] Eliot Lear leaves the room
[21:06:50] Eliot Lear joins the room
[22:09:37] Eliot Lear leaves the room