Re: Request to Charter a New Working Group: Oblivious HTTP (OHTTP)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi IESG,

Martin's draft is interesting, but I have several questions:

  1. How is the key configuration authenticated and retrieved?  I *think* the intent is that a direct HTTPS request is made, but it's not clear.  Is it to a /.well-known something or other?  Is it a GET or a POST?
  2. Is the use of this work likely to help miscreants more than those in need of privacy?
  3. Should we expect session capabilities be built in at higher layers through identifiers passed in forms?

I want to spend just a little time on (2).  If what we are doing is standardizing tooling and providing libraries for BOTnets to operate against web sites, where the web site has no recourse when it is attacked, then why would anyone implement this?  It also seems that this tooling will hamper lawful intercept, *unless* session mechanisms are re-established in the content, in which case, aren't we going to bring on a rather large retooling?  And if so, will the ends of the draft actually be met?

Is this same service going to further harm clients by making it even more difficult to block known malicious web sites?  Not only would a local deployment not be able to do this, but proxies themselves wouldn't be able to spot malware.  Combine that with some rather impressive phishing capabilities of bad actors, and aren't we just hamstringing our ability to put down malware attacks?

I am *asking* these questions, but I would rather that they get properly discussed and answered before the WG is approved.  What I would hate to see is a lot of effort take place to land people right back to where they were.

Eliot

On 07.06.21 20:30, IESG Secretary wrote:
The IESG has received a request to charter a new working group, 
Oblivious HTTP (OHTTP).  The proposed charter, which is a work in 
progress, can be found here:

<https://datatracker.ietf.org/doc/charter-ietf-ohttp/>

The charter will be discussed on the <ohttp@xxxxxxxx> mailing list,
which can be subscribed to here:

<https://www.ietf.org/mailman/listinfo/ohttp>

_______________________________________________
IETF-Announce mailing list
IETF-Announce@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf-announce

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux