httpbis - Tuesday, May 26, 2020

[12:42:21] Mark Nottingham joins the room
[12:48:33] lucaspardue joins the room
[12:53:02] <lucaspardue> @Mark Nottingham I messed up the digests slides first time around, I have a PR with a more correct version at https://github.com/httpwg/wg-materials/pull/57
[12:53:08] <Mark Nottingham> sigh
[12:53:25] hardie joins the room
[12:53:37] <Mark Nottingham> you're taking minutes, Lucas :)
[12:53:46] <lucaspardue> apologies
[12:54:12] <Mark Nottingham> someone is on the webex as "self-isolate"
[12:54:24] <Mark Nottingham> Either they typed the password in the username field, or they're being funny
[12:56:29] Barry Leiba joins the room
[12:56:37] <lucaspardue> wow my machine is failing to find my audio hardware, let me dig out the backup
[12:58:46] Tommy Pauly joins the room
[12:59:12] <Tommy Pauly> Blue sheet is here: https://etherpad.ietf.org:9009/p/notes-ietf-interim-2020-httpbis-01-httpbis?useMonospaceFont=true
[12:59:38] chi.jiun.su joins the room
[13:00:11] jhoyla joins the room
[13:01:07] Martin Thomson joins the room
[13:02:19] bdc joins the room
[13:05:02] Roberto Polli joins the room
[13:05:36] <Martin Thomson> Fabulous, lost slides again...
[13:06:13] <Martin Thomson> Question: what do you do with all the stuff that isn't signed again?
[13:06:41] <jhoyla> Me too, Webex is not the most reliable software I have ever used.
[13:07:53] Roman Danyliw joins the room
[13:08:37] <Martin Thomson> Why would you ever not include the request target?
[13:09:25] <lucaspardue> because its a response?
[13:09:43] <Martin Thomson> exactly - are you ever in a position to be confused about that?
[13:10:11] Mike Bishop joins the room
[13:10:41] <Roberto Polli> +1 for Signature-Input though it's similar to Signed-Headers from webpackage
[13:11:13] <Roberto Polli> @lucaspardue imho the spec should work for both requests and responses
[13:12:40] <jhoyla> What does it mean to have one signature cover another?
[13:12:54] <jhoyla> As in, what information is that intended to convey?
[13:13:58] <lucaspardue> "intermediary N is signing the downstream's provided headers"
[13:14:50] <jhoyla> Does that require the intermediary to not modify the headers at all?
[13:15:16] <Martin Thomson> https://gist.github.com/martinthomson/4e777ba5e5fdfa73cce1544b17d689ba
[13:16:47] <Roberto Polli> Q1: in both the slides and gh there's a proposal to remove `expires`. imho it not a secure choice as it put the signature out of control of the signer
[13:17:49] <Martin Thomson> Roberto: can you turn your video off please?
[13:18:57] <Roberto Polli> Q2: Probably I would retain the signature and its metadata together
[13:19:34] <hardie> Do we have a jabber relay?
[13:20:35] <James Gruessing> It appears we don’t explicitly.
[13:20:59] <hardie> Since Roberto is speaking, we apparently don't need it at the moment.
[13:25:13] <Martin Thomson> where are the slides? I can't find them on the GitHub Repo
[13:26:18] <jhoyla> Ugh, slides died again ...
[13:26:21] <James Gruessing> Martin: https://github.com/httpwg/wg-materials/tree/gh-pages/interim-20-05 if you’re talking about Annabelle’s slides, I think Mark said they’d be added later?
[13:26:46] felixh joins the room
[13:26:52] <Martin Thomson> ahh, I missed the bit where they weren't available ahead of time
[13:27:24] <James Gruessing> Apparently they were only emailed 10 minutes before start of meeting.
[13:27:41] <Martin Thomson> That was very tolerant of Mark on our behalf
[13:32:06] <bdc> Mark and Tommy had asked that slides be sent a week before...
[13:32:32] <hardie> Experimental if there is no client implementation seems like a useful way to get this documented and allow for some use.
[13:37:41] <Martin Thomson> Nope
[13:41:59] <Roberto Polli> lucaspardue: parameters could be useful for MICE+digest
[13:46:07] bdc leaves the room: Disconnected: Received SIGTERM
[13:48:45] <Martin Thomson> lucaspardue: I think that Watson is right if you are talking about protecting using sha-256 (for example), but id-sha-256 isn't vulnerable to the same.
[13:50:58] <lucaspardue> yeah I tend to agree
[13:52:01] <Martin Thomson> Of course, the proxy that translates content codings needs to recalculate the digest, so you are pretty much guaranteed to be exposed to not just bugs in the implementation, but malice or incompetence at the proxy
[14:04:35] <lucaspardue> yeah, I think an origin worried about this would want to provide the `id-sha-256` in the hope that it makes it all the way through to the client
[14:04:58] <jhoyla> This sounds like a job for a Ph.D. student.
[14:05:15] <jhoyla> Important + not urgent is where Ph.D. students live :P.
[14:09:35] <Martin Thomson> send in midders. only.
[14:10:57] <Martin Thomson> this is a clear extension to me, as it doesn't affect any processing
[14:17:31] Tommy Pauly leaves the room
[14:20:05] felixh leaves the room
[14:22:34] James Gruessing leaves the room
[14:23:50] roman joins the room
[14:30:39] roman joins the room
[14:33:26] Mike Bishop leaves the room
[14:40:30] Roman Danyliw leaves the room: Disconnected: closed
[14:44:34] roman leaves the room: Disconnected: closed
[14:50:38] Martin Thomson leaves the room
[14:59:05] lucaspardue leaves the room: Disconnected: BOSH client silent for over 60 seconds
[15:22:31] jhoyla leaves the room
[15:29:02] Mark Nottingham leaves the room: Disconnected: closed
[15:52:53] roman leaves the room
[16:22:14] chi.jiun.su leaves the room
[17:03:11] hardie leaves the room
[17:47:45] Barry Leiba leaves the room
[18:14:44] Roberto Polli leaves the room
[23:47:29] Mark Nottingham joins the room