IETF
httpbis
httpbis@jabber.ietf.org
Thursday, July 28, 2022< ^ >
Martin Thomson has set the subject to: https://github.com/httpwg/wg-materials/blob/gh-pages/interim-20-05/agenda.md
https://etherpad.ietf.org:9009/p/notes-ietf-interim-2020-httpbis-01-httpbis?useMonospaceFont=true
Room Configuration
Room Occupants

GMT+0
[17:23:56] <zulipbot> (Lucas Pardue) hello HyperText Transport enthusiasts
[17:25:53] <zulipbot> (Eric Kinnear) *enthusiasm intensifies*
[17:26:26] <zulipbot> (Tommy Pauly) @Lucas what about the "Protocol" bit?
[17:27:32] <zulipbot> (Lucas Pardue) where we're going, we won't need any ~~roads~~ protocols
[17:28:14] <zulipbot> (Tommy Pauly) Back to the IETF, Part II
[17:28:27] <zulipbot> (Lucas Pardue) my tshirt says that!
[17:31:57] <zulipbot> (Julian Reschke) Guten Morgen, Mark :-)
[17:32:23] <zulipbot> (Lucas Pardue) @mnot did you watch the Neighbours finale? šŸ˜¢
[17:32:49] <zulipbot> (Lucas Pardue) https://www.bbc.com/news/entertainment-arts-62314556
[17:33:02] <zulipbot> (Justin Richer) they like big bells and they cannot lie
[17:33:02] <zulipbot> (Alan Frindell) Mark's floating head on dark background strikes me as some kind of theater of the absurd
[17:34:02] <zulipbot> (Jonathan Hoyland) So I always thought the floating head effect was caused by the time of day, but it must be day, surely?
[17:34:15] <zulipbot> (Matt Joras) I think this is the third of fourth appearance of said disembodied head and it never gets old.
[17:34:28] <zulipbot> (Wendy Seltzer) Maaark?
[17:34:41] <zulipbot> (Eric Orth) It is near lunchtime where I am, but I did not have lunch yet.  Therefore I did not have a good lunch just now.
[17:34:54] <zulipbot> (Jonathan Hoyland) But your audio is separated from your video by at least a second
[17:35:32] <zulipbot> (Jonathan Hoyland) What happened to Vienna?
[17:36:00] <zulipbot> (Martin Thomson) @_**Jonathan Hoyland|453** [said](https://zulip.ietf.org/#narrow/stream/225-httpbis/topic/jabber/near/30264):
```quote
What happened to Vienna?
```
It's still there, last I checked.
[17:39:16] <zulipbot> (Lucas Pardue) can't here Mike
[17:39:29] <zulipbot> (Lucas Pardue) no
[17:39:30] <zulipbot> (Lucas Pardue) now better
[17:39:43] <zulipbot> (David Schinazi) Hello fellow enthusiasts, I will be your Jabber scribe for this session. This doesn't have anything to do with Jabber any more; if you want a text comment to be relayed at the microphone, prefix it with "mic:" and I will repeat it
[17:40:10] <zulipbot> (Mark Nottingham) David: That's a macro, isn't it?
[17:40:40] <zulipbot> (David Schinazi) That's a good idea
[17:42:09] <zulipbot> (Ted Hardie) Don't we need an fqdn, not a single label?
[17:44:07] <zulipbot> (Tommy Pauly) Yes, it needs to be an FQDN
[17:46:20] <zulipbot> (Alan Frindell) @_**Mark Nottingham|231** [said](https://zulip.ietf.org/#narrow/stream/225-httpbis/topic/jabber/near/30308):
```quote
Alan - it may have something to do with it being **3:30am HERE** :)
```
Nothing but empathy.
[17:46:35] <zulipbot> (Lucas Pardue) you lose QUIC today when you try to use it and the server says no because Alt-Svc is broken
[17:48:17] <zulipbot> (Martin Thomson) I always here the ORANGES frame
[17:48:33] <zulipbot> (Jonathan Hoyland) I am so down for H3 ORIGIN
[17:48:33] <zulipbot> (Lucas Pardue) WGLC it
[17:49:27] <zulipbot> (Martin Thomson) I had the same thought as @**Mark Nottingham** there, but I can't think of a way it will interact.  Yet.
[17:49:55] <zulipbot> (Nick Sullivan) I support WGLC for H3 ORIGIN
[17:50:09] <zulipbot> (Lucas Pardue) +1 david
[17:50:39] <zulipbot> (Martin Thomson) Did someone say "cookies"?  I missed lunch.
[17:50:52] <zulipbot> (David Schinazi) Should I line up a question about the cookies?
[17:51:06] <zulipbot> (Martin Thomson) @**David Schinazi** Agenda is tight, so maybe not
[17:51:19] <zulipbot> (Jonathan Hoyland) @MeetEcho please can we realign the camera
[17:51:32] <zulipbot> (Alan Frindell) @_**Martin Thomson|26** [said](https://zulip.ietf.org/#narrow/stream/225-httpbis/topic/jabber/near/30394):
```quote
Did someone say "cookies"?  I missed lunch.
```
Gotta wait for the snack break ;(
[17:51:45] <zulipbot> (Jonathan Hoyland) Thanks
[17:55:18] <zulipbot> (Martin Thomson) For issue 1939, it should be possible to check for /\.(?:[0-9]+|0x[0-9a-f]+)$/ as that is how it is done in the WhatWG URL spec.
[17:57:31] <zulipbot> (David Benjamin) For folks who had been paying attn to the DNS|IP issue before, this is a newer criteria than the old WHATWG spec and the RFC3986 formulation, which looked more like "try to parse as IPv4, otherwise it's DNS". That one is rather hairy, but it turns out to be undesirable for a lot of reasons anyway. This new one is nice and simple.
[17:58:01] seabass leaves the room
[17:58:10] <zulipbot> (David Benjamin) (Turns out it's a problem for systems if "a.1.2.3.4" is a DNS name while but "1.2.3.4" is an IP address.)
[18:00:47] <zulipbot> (Jonathan Hoyland) Esp. if you have to account for the ignored leap seconds.
[18:02:08] <zulipbot> (Martin Thomson) I would point out that the "human-friendly" date is not always that friendly.  Not all of us can translate from UTC to our current time zone so easily.
[18:02:26] <zulipbot> (Martin Thomson) ISO -> RFC 3339 profile
[18:02:40] <zulipbot> (Tommy Pauly) Agreed with mt
[18:04:25] <zulipbot> (Tommy Jensen) Prefer int as well, the tools may want to present some other date format than the one we choose, and unaware tools are not worth optimizing for at the expense of minor parsing improvement for everyone
[18:05:10] <zulipbot> (Erik Nygren) Will either minimize the likelihood of y2038 implementation bugs?
[18:05:53] <zulipbot> (Martin Thomson) A controversial suggestion: HTTP will probably need a date that is before $now.  What if we set a later epoch than 1970?
[18:06:34] <zulipbot> (Alex Chernyakhovsky) if we go with int, will there be some tag so tools know it's representing a date since epoch...?
[18:06:47] <zulipbot> (Martin Thomson) @**Alex Chernyakhovsky** yes.  "@" I believe.
[18:06:47] <zulipbot> (Alex Chernyakhovsky) otherwise will tools be expected to use heuristics to show a tooltip or whatever to developers?
[18:07:00] <zulipbot> (Martin Thomson) As in `Sf-Date: @1235634654`
[18:07:13] <zulipbot> (Tommy Pauly) Right, the tools can just always show it in your current TZ as little tip or interpretation or something
[18:07:26] <zulipbot> (Lucas Pardue) set Epoch to RFC 9110 publish time
[18:08:26] <zulipbot> (Erik Nygren) would that then be negative for old web pages last-modified in the 1990s?
[18:08:26] <zulipbot> (Justin Richer) I thought it was rendered with the "@" prefix?
[18:08:41] <zulipbot> (Alex Chernyakhovsky) er, @mt :)
[18:08:54] <zulipbot> (David Schinazi) MIT is different
[18:08:54] <zulipbot> (Lucas Pardue) the web epoch then :D
[18:09:07] <zulipbot> (Alex Chernyakhovsky) yes, but finger macros are hard to fix
[18:09:20] <zulipbot> (Alejandro SedeƱo) @_**Alex Chernyakhovsky|344** [said](https://zulip.ietf.org/#narrow/stream/225-httpbis/topic/jabber/near/30550):
```quote
yes, but finger macros are hard to fix
```
so true
.
[18:09:46] <zulipbot> (Martin Thomson) @_**Erik Nygren|672** [said](https://zulip.ietf.org/#narrow/stream/225-httpbis/topic/jabber/near/30539):
```quote
would that then be negative for old web pages last-modified in the 1990s?
```
Awkward, yeah, but you can always pretend they were modified last year.  The cost of that is ...fine.
[18:10:38] <zulipbot> (David Benjamin) I strongly prefer the @12345678 formulation. These values will be parsed by receivers far more than they'll be eyeballed by humans. We've had years of experience with the problems of mis-optimizing formats for the wrong thing. Let's not continue this and add another one.
[18:11:31] <zulipbot> (Justin Richer) ccccccjekbrurjjtlungrkuedektunittlrvcecnuhur
[18:11:44] <zulipbot> (David Schinazi) @DavidBen want me to relay that?
[18:11:45] <zulipbot> (Tommy Pauly) Agreed with DavidBen
[18:13:05] <zulipbot> (Annabelle Backman) Hello!
[18:14:13] <zulipbot> (Julian Reschke) ...fields...
[18:17:15] <zulipbot> (Lucas Pardue) digest spec is with our AD, so no updates :)
[18:21:16] <zulipbot> (David Schinazi) Clarification question: are the normalized fields sent next to the signature, or the original ones pre-normalization?
[18:26:19] <zulipbot> (Julian Reschke) ...field values...
[18:31:23] <zulipbot> (Jonathan Hoyland) Can you have optional but mandatory-to-implement fields?
[18:32:24] <zulipbot> (Jonathan Hoyland) i.e. can we make sure that an implementation that doesn't support SignatureContext is clearly non-spec compliant?
[18:35:20] <zulipbot> (Lucas Pardue) justin: in server push, the server synthesizes a request and sends it to the client. If it signs that request, and the client verification of that signature fails, would this spec specify any behaviour to take? For instance, should the client  reject the subsequent pushed response that relates to the failed request
[18:36:08] <zulipbot> (Justin Richer) short version: we know about XMLDsig and aren't repeating those same mistakes here. :)
[18:37:41] <zulipbot> (Justin Richer) @Jonathan: no, different applications are going to have completely different ideas of what needs to be signed. An implementation that doesn't use the "context" parameter just ... doesn't use it. If a library doesn't let oyu send that parameter then you can't use that library in that application because it's not fully compliant.Libraries should support all the optional parameters here.
[18:38:36] <zulipbot> (David Benjamin) (Apologies, latency was very high so it took me several RTTs to even realize we were talking concurrently! :-/ )
[18:38:49] <zulipbot> (Darrel Miller) I would be happy to provide feedback
[18:39:55] <zulipbot> (Jonathan Hoyland) @Justin In which case, would the signature be different with "" vs omitted? As in, if someone _is_ using SignatureContext with an empty string, would it be distinct from someone not using it at all?
[18:40:29] <zulipbot> (Jonathan Hoyland) (From what was said, I assume so, but I'm just trying to make sure.)
[18:40:29] <zulipbot> (Darrel Miller) Sorry, to be more clear.  I would be happy to provide feedback and contribute to the Query effort.
[18:40:42] <zulipbot> (Tommy Pauly) Thanks Darrel!
[18:45:43] <zulipbot> (Darrel Miller) Can I suggest avoiding the term "chunk" as it will be confused by some with chunked transfer encoding.
[18:47:55] <zulipbot> (Martin Thomson) try capsule, frame, message, datagram, or packet
[18:48:47] <zulipbot> (David Schinazi) , parcel, MSS, ...
[18:48:47] <zulipbot> (Martin Thomson) I don't think that `Upload-Incompete` is interoperable.
[18:49:00] <zulipbot> (David Schinazi) s/MSS/segment/
[18:49:00] <zulipbot> (Justin Richer) @lucas I copied your text above to issue #2144
[18:49:53] <zulipbot> (Darrel Miller) I think this is an interesting problem to solve.  Microsoft have numerous APIs where we have attempted to address this problem.
[18:50:06] <zulipbot> (Lucas Pardue) Cloudflare uses other versions of tus successfully for allowing user uploads for some products
[18:50:33] <zulipbot> (Lucas Pardue) I support trying to solve the problem in a more interoperable way
[18:50:59] <zulipbot> (David Schinazi) Lucas would you like me to relay that at the mic
[18:50:59] <zulipbot> (Martin Thomson) A better design, to my mind, would be a 104 response that includes a new resource where uploads can be resumed.
[18:51:12] <zulipbot> (Lucas Pardue) no thanks david
[18:51:25] <zulipbot> (Martin Thomson) The client-selected token worries me.
[18:51:38] <zulipbot> (Tommy Pauly) Agreed. The details have issues. But seems like a good problem to solve, as an individual here.
[18:52:04] <zulipbot> (Martin Thomson) Yeah, I don't see a problem with this being adopted.
[18:52:30] <zulipbot> (Lucas Pardue) FWIW the folks behind tus v1 are onboard with what change control in IETF means
[18:53:12] <zulipbot> (Julian Reschke) yes
[18:53:12] <zulipbot> (Kazuho Oku) +1 to adopt.104 design is beautiful but potential downside would be that we cannot use HTTP/1.1 (due to broken intermediaries).
[18:54:04] <zulipbot> (Lucas Pardue) can we call it "Chonked" upload, since this is intended for largish resources?
[18:54:18] <zulipbot> (Martin Thomson) @**Kazuho Oku** good point.  Though maybe if the 104 only carried a link relation, the upload resource could be identified in a HEAD request if the client missed or couldn't receive the 104.
[18:54:31] <zulipbot> (David Schinazi) Lucas: lol
[18:55:10] <zulipbot> (Mark Nottingham) 1xx also isn't available in some frameworks (server and client side). Not a dealbreaker, but some friction.
[18:55:36] <zulipbot> (Darrel Miller) Lucas: +100
[18:56:29] <zulipbot> (Julian Reschke) I like the idea of having a useful protocol that would phush frameworks/libs to support 1xx
[18:57:51] <zulipbot> (Mark Nottingham) That would be good too.
[18:58:04] <zulipbot> (Tommy Jensen) Sad social side effects of the mentioned incorrect specificity: https://splinternews.com/how-an-internet-mapping-glitch-turned-a-random-kansas-f-1793856052
[19:01:46] <zulipbot> (Justin Richer) +1 to HTTP Chonks
[19:07:18] <zulipbot> (Martin Thomson) Anyone looking to understand the limitations involved should read Section 13.5 of RFC 6772 (I'm listed as author on that document, but that is the only section I wrote).
[19:07:45] <zulipbot> (Martin Thomson) To David's point, a very narrow domain of applicability might (I still say might) help.  Maybe even a lot.
[19:08:24] <zulipbot> (Martin Thomson) Fundamentally, this is not going to address the problem of bad data.
[19:08:50] <zulipbot> (Martin Thomson) Bad data is a baseline fact of geolocation databases.
[19:08:51] <zulipbot> (David Schinazi) +1 to MT about applicability domain. This might (again might) be a way to build something safe
[19:09:32] <zulipbot> (Martin Thomson) That
[19:11:37] <zulipbot> (Martin Thomson) I find it hard to believe that simple traffic analysis won't reveal that the MASQUE server is a MASQUE server
[19:12:09] <zulipbot> (Tommy Pauly) Agreed with mt... I'm not sure if hidden proxies are really going to be viable. Just be public about it.
[19:12:09] <zulipbot> (Alex Chernyakhovsky) possible, but that doesn't immediately suggest all masque servers should be willing to advertise they are masque servers
[19:12:35] <zulipbot> (Martin Thomson) I can see a way to hide certain resources, but not the fact that it is a MASQUE proxy
[19:12:48] <zulipbot> (Jonathan Hoyland) @MeetEcho can we adjust the camera please.
[19:12:48] <zulipbot> (Lucas Pardue) can we not call it MASQUE please, I fear that will spook the folks trying to wrap their head around privacy proxies
[19:13:01] <zulipbot> (Jonathan Hoyland) Thanks
[19:13:01] <zulipbot> (Tommy Pauly) Yeah I could see it more for the specific resources.
[19:14:07] <zulipbot> (Lucas Pardue) stegano-HTTP
[19:14:20] <zulipbot> (Alejandro SedeƱo) Gonna need a ntwice.
[19:15:41] <zulipbot> (Julian Reschke) F
[19:19:08] <zulipbot> (Martin Thomson) I would call it "spontaneous HTTP client authentication"
[19:19:21] <zulipbot> (Martin Thomson) exported authenticators, oh yeah
[19:19:34] <zulipbot> (Justin Richer) this feels like Token Binding but spicy
[19:19:47] <zulipbot> (Jonathan Hoyland) Yeah, this is basically EAs without a `CertificateRequest`
[19:20:00] <zulipbot> (Tommy Pauly) "Spicy Binding"
[19:20:29] <zulipbot> (Alan Frindell) frames also hop-by-hop
[19:20:55] <zulipbot> (Jonathan Hoyland) There are clients that do that as well šŸ¤¦
[19:21:08] <zulipbot> (Martin Thomson) Spontaneous Client HTTP Authentication version 1 has a great acronym: SCHA-1
[19:21:51] <zulipbot> (Mark Nottingham) I have to step outside for a moment; my breakfast is being delivered.
[19:22:05] <zulipbot> (Lucas Pardue) MTTJMCB
[19:22:18] <zulipbot> (Tommy Pauly) What's for breakfast?
[19:22:31] <zulipbot> (Nick Sullivan) Certificate frame relies on exported authenticators (RFC 9261), which doesn't support spontaneous client auth.
[19:23:28] <zulipbot> (Jonathan Hoyland) I think it's worth working on the client auth problem, even if we don't go with this exact solution
[19:23:41] <zulipbot> (Nick Sullivan) @David happy to talk through the certificate frame doc, it's less scary than it sounds and doesn't require X.509, just a TLS certificate message which can be a raw public key.
[19:24:33] <zulipbot> (Ted Hardie) Did they consider calling it "side channel", just to keep it clear?
[19:24:46] <zulipbot> (Tommy Pauly) Heh
[19:25:12] <zulipbot> (Martin Thomson) So far, all I've heard is "Google has some proprietary extensions to HTTP/2 and plans to make some proprietary extensions to HTTP/3"
[19:25:30] <zulipbot> (Julian Reschke) ha
[19:25:43] <zulipbot> (Mark Nottingham) midders
[19:29:42] <zulipbot> (Alejandro SedeƱo) [image.png](/user_uploads/2/24/1PnVx-dS-3a9sdPA3llmeptu/image.png)
[19:30:08] <zulipbot> (Tommy Pauly) The extension point is new frame types, we already have the ability to extend
[19:32:11] <zulipbot> (Erik Nygren) I can see this useful as well, eg for load feedback reporting.
[19:32:24] <zulipbot> (Martin Thomson) @**Alan Frindell** a generic capability that enabled access to writing frames would ALSO be generic, all it requires is that someone write the code in stacks
[19:32:38] <zulipbot> (Tommy Pauly) mt, exactly
[19:32:38] <zulipbot> (Tommy Pauly) Write a load feedback report frame
[19:32:51] <zulipbot> (Lucas Pardue) the Server-Timing response field is a good example of actual framework
[19:33:20] <zulipbot> (Lucas Pardue) this sounds like a ++ to that scope and capability
[19:33:20] <zulipbot> (Martin Thomson) I was not clear enough: I think that this is harmful.
[19:33:33] <zulipbot> (Martin Thomson) mildly so, but still
[19:33:33] <zulipbot> (Matt Joras) The bar for writing a new frame is pretty high. The bar for a user adding new "metadata" is much lower
[19:33:59] <zulipbot> (Lucas Pardue) disagree matt :)
[19:33:59] <zulipbot> (Martin Thomson) @**Matt Joras** NSS has an API that makes it easy, very easy even, to add a new TLS extension.  This cannot be that hard.
[19:34:12] <zulipbot> (Erik Nygren) and having something like this in envoyproxy and standardized does seem useful, even in proprietary context.  The "HAProxy Prefix" is an example of what happens when this happens anyways but outside of standards.
[19:34:25] <zulipbot> (Martin Thomson) @**Matt Joras** I don't see why not.  Within bounds.
[19:34:57] <zulipbot> (Martin Thomson) @_**Alan Frindell|502** [said](https://zulip.ietf.org/#narrow/stream/225-httpbis/topic/jabber/near/31348):
```quote
I think as an optional extension it could be ok
```
Your optional extension is something everyone else has to deal with.
[19:35:10] <zulipbot> (Jonathan Hoyland) @MeetEcho: Adjourned
[19:35:24] <zulipbot> (Alan Frindell) Free to ignore extension frames
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!