►
From YouTube: IETF104-HTTPBIS-20190328-1350
Description
HTTPBIS meeting session at IETF104
2019/03/28 1350
https://datatracker.ietf.org/meeting/104/proceedings/
B
A
C
E
C
A
little
easier
for
us
to
hear.
Thank
you.
That's
awesome,
I
appreciate
it.
We've
already
got
a
note-taker,
thank
you
for
you
ever
and
we've
also
gathered
ever
scribes
Thank
You
Julie,
so
got
their
act
together.
At
least
you
get
going
here
today
is
a
little
more
diverse
than
our
first
meeting
of
the
week.
C
C
C
C
Here's
our
agenda-
hopefully
these
drafts
look
familiar
to
you
and
you
have
read
them
very
own.
Specv
56
bits
which
is
in
interesting
thing.
The
cache
header,
a
client
hints
at
our
structure,
secondary
certs,
will
have
a
great
update
from
Mike
Bishop
on
the
HTTP
3
work
and
how
that's
going
with
quick
and
then
one
two,
three
four
five
proposals
and
sort
of
my
eyes.
So
as
we
talk
about
the
adopted
drafts
will
also
probably
talk
about
open
issues
in
the
effort
to
move
those
drafts
forward.
F
F
The
two
main
kind
of
areas.
If
you
look
at
the
issues
list,
I
think
is
a
few
issues
and
a
number
open
by
Jeffrey
asking
Jeffrey
are
you
here?
Yes,
you
are
hello,
you're,
very
yellow.
Again,
it's
very
easy
to
find
you
I,
so
the
the
main
consumer
for
a
lot
of
the
feedback
we've
had
from
variance
is
actually
the
web
packaging
work.
F
They're
using
variance
is
a
way
to
talk
about
the
selection
of
the
representations
in
the
package
as
I
understand
it,
and
so
Geoffrey's
been
given
good
feedback
and
for
me
it's
it's
really
good
confirmation.
That
variance
seems
to
actually
work
for
their
use
case,
which
means
as
a
mechanism
it
kind
of
works.
F
I'm
also
still
talking
to
implementers
fastly
is
talking
about
it
internally.
Well,
I.
Don't
have
any
commitments
to
make
there,
of
course,
and
I've
had
a
long-running
conversation
and
needling
of
lathe
Hedstrom
from
Apache
traffic,
several
a
for
you
in
the
room
yeah
still
at
lunch,
Weiss
wise
man
he's
looking
at
prototyping
it
in
in
a
module
because
the
way
modules
work
in
ATS-
it
probably
won't
be
a
full
implementation,
but
at
least
give
a
proof-of-concept
see
how
it
runs.
I
won't
go
into
the
issues
here.
F
I'm
I
just
once
again
encourage
people
to
review
it
to
implement
it.
If
you
so
feel
inclined,
so
it
get
some
more
feedback.
For
me,
the
only
big
thing
in
mind
about
this
spec
is
its
nature:
that
to
work
with
a
particular
content,
negotiation
mechanism,
so
I
had
a
you
know,
request
had
a
response
out
of
pair.
You
need
to
define
an
algorithm
and
in
aspect
somewhere
and
have
that
implemented
in
the
cache
for
it
to
work.
Otherwise,
you
fall
back
to
very
behavior.
That's
the
trade-off.
F
We
made
the
the
first
attempt
that
this
was
the
key
header.
If
you
remember
that
and
in
key
you
actually
embedded
that
outdoor
them
into
the
header.
You
know
in
this
little
constraint
language
and
we
decided
that
that
was
horribly,
complex
and
hard
to
implement
because
it
made
met
potentially
unbounded
CPU
on
the
cache
and
error
prone,
because
authors
had
to
get
that
out,
grow
them
exactly
right
when
they
produce
that
are
so
that's
why
we
moved
the
variant
approach.
F
F
H
I
F
F
F
F
That
causes
a
little
consternation
by
some,
but
that's
what
we've
decided
I
probably
will
do
another
editorial
pass
through
the
document
and
make
sure
that
it
still
makes
sense
at
some
point,
and
if
people
have
additional
things,
they
want
to
talk
about
I
think
we
probably
could
do
that
if
we
needed
to
it's
not
hard
hard
closed.
It's
just
kind
of
soft
closed
yeah.
C
K
You
have
up
front,
so
this
is
just
something
that
kind
of
came
up
during
the
discussions
around
using
DNS
over
H.
Yes,
one
of
the
pieces
of
advice
in
the
56
bits
is
that
one
of
the
ways
of
disambiguating
a
an
application
that
is
not
the
web
that
uses
HTTP
as
a
substrate,
is
using
a
media
type,
which
is
what
h
the
dns
over
HTTP
essentially
does
because
it
uses
the
UDP
wire
format
of
the
the
DNS
is
kind
of
a
key
part
of
its.
So.
K
L
F
K
And
so
I
think
this
is
great
advice.
I
was
just
going
to
suggest
that
we
also
add
something
into
the
security
and
privacy
considerations.
That
say
what
that
does
mean,
though,
is,
if
you
have
a
proxy
or
something
else,
that's
capable
of
seeing
this
application
specific
media
type.
It
becomes
a
fingerprinting
point
to
allow
them
to
know
which
of
these
applications
you're
using
since
it's
not
a
generic
content
type,
it
is
a
application,
specific
media
type
right.
K
So,
in
particular,
for
the
privacy
section
all
I'm
suggesting
is
that
it
note
that
when
you
use
one
of
these
application,
specific
media
types,
anything
that's
a
proxy
along
the
path
being
on
behalf
of
the
end-user
or
the
origin.
Server
will
thereby
know
which
one
of
these
applications
is
using.
The
HTTP
substrate.
F
I'm
gonna
push
back
on
that
a
little
bit
because
I
think
that
what
you're
really
saying
is
that,
if,
if
you
don't
encrypt
data,
anything
on
the
path
can
see
that
data.
That's
true
for
I!
It's
true
for
the
headers.
It's
true
for
the
body
mime
sniffing
is
now
well-documented
and
widely
implemented.
So,
even
if
you
use
generic
media
type,
they
can
still
understand
what
application
you're
using
well.
C
C
F
So
open
issues,
I
think
this
is
largely
done
as
a
spec
I
think
I
probably
need
to
do
one
or
two
more
iterations
on
it
and
I
think
we
need
to
get
some
people
prototyping
with
it.
The
two
issues
we
have
open:
seven:
seven,
eight
cache
header
name.
F
C
M
M
This
thing,
then,
maybe
you
can
also
wait
for
the
other
things
to
come
to
the
point
where
it's
a
little
more
mature
and
then
you
have
a
little
bit
more
information.
Sure
I
I
know
it's
a
little
when
you
have
to
go
out
and
probably
some
things
without
a
name
or
short,
that's
harder.
This
is
pre-emptive.
It's.
M
F
N
I
E
P
P
It's
only
over
secure
connections,
so
that
would
prevent
MIT
m's
from
extracting
that
information
and
increasing
surveillance
situations
same
origin
only.
So
this
is
more
of
a
web
concern,
but
it
basically
prevents
unauthorized
fingerprinting
by
third
parties
when
the
first
party
origin
enables
those
hands
and
at
the
same
time,
in
order
to
enable
some
of
the
use
cases,
we
do
permit
cross
origin
delegations.
So
a
first
party
origin
can
delegate
the
hint
to
certain
third
party
origins
which
have
a
legitimate
use
of
that
information.
P
The
opt-in
mechanisms
are
a
couple
of
server
response.
Headers
one
of
them
is
accepts
eh,
a
header
that
provides
a
list
of
tokens
for
the
various
hints.
The
various
features
that
this
server
is
interested
in
getting
information
about,
and
the
other
is
except
th
lifetime,
which
gives
a
number
of
milliseconds
for
which
that
opt
end
should
be
preserved
for
that
origin,
so
that
enables
client
hints
over
navigation
over
future
navigation
requests.
P
The
third
point
delegation
mechanism
is
basically
like
I,
said:
client
hints
are
sent
only
to
first
party
to
the
same
origin
by
default,
when
the
opt-in
is
delivered
over
the
top-level
navigation
response,
which
prevents
us
from
leaking
information
through
passive
resources.
So
previous
concern
with
the
proposal
was
that,
if
page
includes
image
reefs
forces,
those
image
resources
would
get
an
information,
even
though
they
cannot
theoretically
run
JavaScript
in
order
to
extract
it
by
other
means.
P
So,
in
order
to
tackle
that,
we
introduced
a
delegation
mechanism
that
is
using
feature
policy
and
a
feature
policy.
Header
can
be
used
to
tell
the
browser
that
a
particular
host
should
get
a
particular
hint
so,
for
example,
enable
a
viewport
width
and
DPR
delegation
to
image
CD
ends.
That's
the
main
use
case
that
we
had
in
mind.
P
P
P
But
but
the
main
arguments
here
are
the
first
ones.
Oh,
we
want
to
not
send
cores
and
be
sure
that
we're
doing
the
right
thing-
okay,
so
there
are
various
features
that
rely
on
that
infrastructure:
I
divided
them
into
improved
content
negotiation,
which
we
have
image
related
hints
that
are
the
finest
fire
as
part
of
HTML
or
are
supposed
to
be
the
funnest
part
of
HTML
once
the
PR
lists
land
and
we
have
a
bunch
of
Network
related
hints,
which
are
defined
in
net
info
in
the
net
info
specifications.
P
So
RTT,
dowling,
effective
connection
type
and
we
potentially
may
want
to
spin-off,
save
data
into
its
own
specification,
because
it's
slightly
different
and
we've
heard
some
interest
from
people
who
want
to
implement
save
data,
but
not
the
other
network
related.
Hence
all
of
this
is
currently
shipped
in
chromium.
P
P
Okay-
and
we
have
a
couple
of
features
that
we
want
to
use
in
order
to
reduce
acid
fingerprinting
surface
on
the
web.
So
currently
user
agent,
the
user,
agent,
header
and
except
language
are
headers
that
contain
multiple
bits
of
information.
They
are
sent
with
every
request
on
the
web
to
every
server
that
is
interested
or
not,
and
we
want
to
make
it
stop.
P
So
we
plan
to
replace
those
mechanisms
or
start
by
supplementing
those
mechanisms
with
the
client
hints
that
enable
access
and
enable
deliberate
access
to
the
same
amount
of
information,
but
one
that
requires
a
server
opt-in
and
then,
hopefully
over
time
as
compat
permits,
deprecated
or
freeze
the
passive
fingerprinting
vectors.
This
is
currently
implemented
in
chromium,
but
not
yet
shipped
and
changes
to
the
draft.
Since
the
last
time
we
presented
is
that
we
removed
the
image
specific
hints
that
were
part
of
the
ITF
draft
and
moved
them
to
the
HTML
PR.
P
We
did
that
both
to
have
better
processing
models,
define
for
those,
as
well
as
reduce
confusion
between
the
hints
infrastructure
and
the
features
that
are
using
it,
because,
theoretically
browsers
could
implement
the
infrastructure
but
not
implement
the
image
related
hints
if
they
choose
not
to.
We
have
a
PR
up
in
the
air
to
add
a
sec
prefix
record
least
a
sec
graphics
recommendation
and
I
also
wrote
down,
because
the
current
specification
is
split
between
the
ITF
draft
HTML
parts
fetch
be
ours
and
other
specifications.
P
We
currently
have
running
code
and
chromium
as
well
as
in
various
servers
and
one
particular
image
CDN
that
we
work
with
is
cloud
Neri
and
we
want
more
browsers
to
implement
in
order
for
us
to
be
able
to
move
forward
the
ITF
draft
in
order
to
lend
the
PRS
and,
most
importantly,
in
order
to
improve
user
privacy,
performance
and
experience
on
the
web.
So
with
that
questions.
C
M
M
P
Regarding
the
future
policy,
I
know
that
there
are
some
concerns
about
inheritability
of
feature
policies
too
nested
context
and
in
in
the
context
of
client
hints
I
like
to
be
honest,
I
think
it
would
be
fine
either
way
whether
the
frames
inherit
that
or
not
or
like
inherit
that
without
opting
in
as
themselves
or
not
would
both
be
like.
From
my
perspective,
both
solutions
would
be
fine,
so
I'm.
M
Only
having
seen
this
for
the
first
time
today
and
I
didn't
realize
you
two
in
creature
policy
until
you
mentioned
up
on
the
slides
here,
it
does
seem
to
fit
fairly
well
with
the
use
of
feature
policy
that
we
imagine
is
most
directly
useful
in
the
short
term.
Unfortunately,
we
have
some
reservations
about
how
that
policy
is
expressed
and
managed
and
so
forth,
and
the
way
that
the
other
aspects
of
feature
policy
then
sort
of
bleed
into
this,
making
it
a
lot
more
difficult
to
make
progress.
Yeah,
that's
probably
feedback
for
the
feature
policy.
M
People
as
much
as
it
is
here.
I
would
say
that
you
could
probably
move
forward
with
this
and
the
other
pieces
of
this
modulo.
The
concerns
about
the
fact
that
I
haven't
read
all
of
it
without
the
feature
policy
part
and
simply
say
that
it
doesn't
delegate
in
2/3
Modi
context
until
you
work
work
out
the
future
policy
part
and
then
progress
that
independently.
M
M
Q
Tommy
Polly
Apple
and
as
an
individual,
so
yeah
thanks
again
for
the
clarifications
on
this,
so
we
had
discussed
before
and
you
made
a
comment
about
save
data
being
a
little
bit
different
from
our
perspective.
I
think
at
this
point,
we're
interested
in
being
able
to
mark
save
data
at
this
point.
I,
don't
think
we
are
necessary
planning
on
doing
anything
with
the
other
hints.
We
do
have
some
reservations,
but
thank
you
again
for
presenting
this
will
definitely
go
and
review
that
more.
Q
Q
Thank
you
and
actually
I'm,
just
kind
of
from
an
editorial
standpoint.
Then
you
may
be
good
to
mention
what
things
make
sense,
as
client
hints
or
not,
I.
Think
for,
like
the
networking
info
perspective,
a
lot
of
those
things
are
saying.
Oh,
this
is
my
RTT
there's
other
properties
of
the
network.
The
save
data
seems
like
a
different
category,
because
it's
probably
more
of
user,
often
and
so
giving
a
rubric
for
people
extending
this
in
the
future.
To
say
these
are
the
type
of
things
that
make
sense,
as
hints
would
be
great.
Okay,
thank
you.
F
So
mark
yeah,
this
mic
is
different.
Marc
Namie
have
so
with
my
fastly
head
on
I've
talked
to
her
a
monocular,
optimizer
team
and
they're
interested
in
this.
It's
you
know
exciting
to
get
that
granularity
of
data
and
to
be
able
to
automatically
you
know,
optimize
images
for
websites
that
are
our
customers,
so
yeah,
please
continue
with
no
particular
head
on
I
would
encourage
folks
to
look
at
this
document.
F
They
were
talking
about
in
this
working
group
as
a
framework
for
new
content
negotiation
mechanisms
and
I
would
hope
that
we
would
not
require
all
new
content
negotiation
mechanisms
to
use
it,
but
there'd
be
a
lot
of
encouragement
that
this
is
a
good
pattern.
Let's
find
the
right
pattern
for
this
document
it
and
then
can
I
beat
the
bushes
towards
that
in
the
future.
I
think
that's
your
intent
and
that's
where
to
get
confirmation
there,
yeah,
okay,.
C
R
No
squirrel
not
like
I,
guess,
I'm,
not
sure
I
agree
with
the
characterization
that
this
uses
the
finger
for
any
surface,
changing
some
of
the
things
that
are
currently
sent
in
rich
headers
and
the
client
hints
obviously
does.
But
the
problem
is
you're
also
adding
things
which
that
would
not
otherwise
be
accessible
to
the
server
versus
memory.
P
Basically,
this
is
not
adding
any
new
information
that
a
website
cannot
conclude
from
a
JavaScript
API,
so
it's
in
a
sense
identical
to
currently
existing
active
fingerprinting
vectors
that
browsers
can
track
block
lie
about
or
somehow
you
know,
penalize
usage
of,
but
doesn't
and
any
passive
factors.
If
that
makes
sense,
I
mean.
R
P
R
P
R
R
P
R
Thing
would
make
a
death
once
again,
there's
a
difference
between
something
which
is
something
which
is
something
which
the
server's
explicitly
do,
a
saying
which
every
with
every
request.
And
so
one
of
the
one
of
the
things
that
we
one
of
the
things
that
we
look
at
in
order
to
determine
whether
or
not.
R
C
R
One
of
the
things
we
look
at
you
know
in
order
to
determine
in
order
to
determine
whether
or
not
certain
certain
certain
activities
by
servers
or
fingerprinting
is
to
determine
with
it
whether
they
making
requests
for
data
which
they
don't
care
taking
of
the
Jimmy
use
of
on
the
client-side,
and
so
so,
first
a
WebRTC.
And
so
when
what
happens
is
they
ask
for
an
array
of
things
which
then
gets
into
the
server?
R
R
I,
don't
think
that's
accurate
for
the
reasons
I
indicated.
These
fact
is
we
can
tell
when
the
Queen
the
site
is
actually
coming
to
make
use
of
the
data
and
as
opposed
to
when
they're
shipping
it
back
for
storage,
but
when
it's
being
sent
over
when
it's
being
sent
and
if
it
are
stuffing
a
cookie.
That
is
something
we
potentially
abusive.
R
F
This
more
words,
this
is
coming
up
fairly,
often
yeah
from
different
folks,
yes
and
I
think
there
are
a
number
of
people
who
feel
that
the
there
is
an
equivalence
here
and
other
people
who
disagree.
So
it
seems
like
we
need
an
issue
just
about
that
and
we
need
to
find
a
way
to
get
resolution
probably
pulling
in
the
appropriate
people,
sure
different
places,
yeah.
S
Love
Robin,
Marx
I,
just
wanted
to
say
the
idea
of
splitting
a
safe
date
ahead
or
enjoy
a
separate
speck
seems
very
good
to
me,
as
we
talked
about
before,
I
see
a
future
where
we
also
have
more
specific
user
preferences,
not
just
a
generic
safe
data,
but
actually
users
saying
I
want
this
type
of
counselor
I.
Don't
want
this
type
of
content,
please
URL,
so
that
would
make
that
easier
in
the
future
to
do
or
quit.
So
please
do
that.
Okay,
Alun.
B
P
Are
respected
only
when
coming
in
on
responses
from
a
top
level,
navigation
response,
and
so
if,
if
the
server
is
not
sending
an
except
I'm,
and
it's
only
interested
in
hence
on
sub
resources,
it
can
send
like
it
needs
to
send
them
every
on
every
navigation
response.
If
the
server
is
interested
in
having
those
hints
be
applicable
to
future
navigation
requests,
then
it
needs
to
add
an
exception
lifetime,
and
for
that
lifetime
it
doesn't
need
to
opt
in
again,
even
though
it
could
okay.
C
F
P
C
P
C
F
Yeah,
so
structured
headers
is
I,
think
nearing
completion.
We
have
a
few
issues
open,
which
we
need
to
work
through
I'll
go
through
a
couple
of
them
very
briefly
and
then
I
think
the
meaty
one
is
the
last
one
737.
So
we
just
opened
780
to
define
a
URI
reference
type
I.
Think
we
kind
of
informally
considered
this
before
and
and
didn't
see
a
lot
of
interest,
but
it
doesn't
cost
a
lot
to
add.
F
So
my
only
concern
here
is
that,
what's
you
know,
how
strict
are
we
going
to
be
about
the
URI
reference
syntax
inside
of
the
brackets?
If
you
know
there's
this
tension
between
the
formal
definition
of
your
eyes
and
what
browsers
often
allow
inside
your
eyes
for
things
like
location
and
if
we
specify
something
that's
very
strict,
will
that
strictness
be
maintained
or
will
we
have
interoperability
issues,
as
some
people
loosen
it
up
right
to
the
microphone
so.
I
Destroy
well
I,
agree.
That's
a
concern.
I
think
it's
a
concern,
regardless
of
whether
they're
represented
in
angle
brackets
or
double
quotes.
So
I.
Don't
think
you've
addressed
that
kind
of
concern
anywhere
else
in
the
spec.
It's
just
sure,
yeah
tress
is
just
a
way
of
distinguishing
them
from
districts.
It's.
F
Just
there's
a
fairly
strong
practice
of
using
sloppy
call
them
sloppy
URLs,
there's
a
fairly
strong
practice
of
using
the
mouse
where
but
I'm,
not
against.
Trying
here,
I
think
the
worst
possible
outcome
would
be
that
we
specify
it
and
it
gets
implemented,
but
some
people
implement
it
badly
and
then
this
is
an
area
of
expect
that
you
can't
use
because
there's
poor
Interop
or
that
you
have
to
use
with
with
kid
gloves
or
whatever.
But
but
that's
not
to
say
it's
not
worth
trying
right.
I
F
You
yeah
I'm
happy
to
add
that
I
think
next,
one
781
empty
lists
and
empty
field
values.
I
think
this
is
we
constrained
the
syntax
of
things
like
lists
to
require
at
least
one
item
back
when
we
were
being
really
strict
about
a
lot
of
things.
I
could
see
an
argument
to
allow
empty
lists,
the
only
thing
being
that
if
I
remember
there
have
been
issues
in
the
past
where
you
have
headers
with
empty
values
that
are
stripped
by
some
implementations.
I,
don't
know
how
widespread
that
is,
but
I
think
it
does
happen.
F
I
Structured
header
fields
specification
as
because
there
actually
is
a
generic
parsing
syntax
for
HTTP.
It's
just
that
we
don't
declare
it,
but
if
we
have
one
I
want
it
to
actually
make
some
progress
and
not
reduce
the
amount
of
things
that
you
can
define.
The
accept
header
field,
for
example,
has
meaning
when
it's
sent
empty
see.
I
F
The
goal
of
this
is
to
be
somewhat
compatible
with
common
HTTP,
but
more
to
have
a
crisp
data
model
for
new
headers,
especially
people
in
the
past
have
said
why
don't
we
have
null
here
and
I?
Think
that's
a
an
interesting
question.
My
response
off-the-cuff
was
that
we
don't
see
anybody
using
Nolen
existing
headers,
but
I'm
happy
to
be
proven
wrong
for
that
for
for
empty
lists.
You
you
characterize
it
as
a
theoretical
concern.
I
think
it's
a
very
practical
one.
It's
that
it
won't
work
in
certain
circumstances.
F
It
sounds
like
you
want
it
to
be
theoretically
completed
in
allowing
empty
sets,
which
I,
understand
and
I
sympathize
with
it's
just
in
the
current
syntax
that
won't
work
on
the
wire
in
some
circumstances.
As
far
as
we're
aware,
having
said
all
of
that,
I'm
happy
to
open
up
the
syntax
and
and
and
just
put
a
warning
there
if
other
people
think
that
this
is
important,
I
see
Kazuto
nodding
his
head.
Anybody
else
how
many
things.
F
Who
cares
about
this
Julien
Karras
anybody
else
Julien?
Can
you
just
do
you
agree
with
Roy
just
point
at
Roy?
If
you
agree
with
Roy,
he
grows
with
Roy.
Okay,
all
right.
Let's
open
it
up
and
see
what
happens,
but
I
do
want
to
put
a
warning
there
that
if
you
have
an
empty
list
in
your
syntax,
it
may
get
lost
along
the
way.
Cuz.
F
F
Right,
yes,
that
we
have
right
now,
parameters
are
a
set
when
there's
a
question
of
whether
you
want
to
be
able
to
preserve
ordering
there,
because
dictionaries
are
an
ordered
dictionary.
We
added
that
a
while
back
because
it
seems
like
there
was
half-decent
implementation
support
for,
and
there
were
definitely
use
cases
for
it.
So
I
think
the
actual
request
here
is
to
turn
parameters
into
an
order
dictionary
rather
than
an
unknown
or
unordered
dictionary.
I,
don't
know
my
comment
said:
does
that
make
sense
to
folks?
Because
I
found
a
use
case
for
it?
I
I
F
Well,
that's
a
list
yeah.
No,
so
dictionaries
are
an
order,
they're
an
ordered
dictionary
and
the
because
parameters
on
a
parameterised
item.
Our
model
is
a
dictionary
there's
the
there's
a
distance,
because
dictionaries
are
ordered
and
parameters
are
not,
and
what
I
think
we
want
to
do
here
is
make
parameters
in
order
dictionary
as
well
and
I
see
a
thumbs
up.
T
F
F
M
F
A
F
For
the
love
of
God,
somebody
write
that
so
this
is
the
fun
one
integer
limits.
One
of
our
implementers
are
hard-working.
Limp
owners
noticed
that
implementing
structure
headers
in
JavaScript
was
tricky
because
integers
in
in
in
yeah
I'm
not
done
yet
Murray,
because
integers
and
JavaScript
have
a
constrained
range,
see
there's
a
lot
more
here,
and
so
we
went
back
and
forth
on
that
for
quite
some
time
very
wise.
F
That
implementations
were
required
to
support,
but
that
could
support
numbers
outside
that
range
if
they
chose
that
was
the
minimum
footprint
for
interoperability,
which
is
the
same
approach.
We've
taken
on
most
of
our
other
headers.
For
example,
we
say
lists
must
have
as
implementations
must
support
lists
with
at
least
fou
members
and
I.
Think
foo
is
a
hundred
thousand
twenty-fourth
I,
remember
correctly,
and
so
that
seemed
to
gain
some
support
and
then
phk
came
along
and
made
a
different
proposal,
which
was
I
love
the
reaction
to
the
phrase
then
phk
came
along.
F
He
made
a
proposal
that
we
limit
the
syntax
to
a
number
of
digits,
a
number
of
characters.
First
and
then
you
pars
it
and
then
you
have
an
integer
and
so
then
I
believe
the
number
of
the
D
proposed
was
15
after
you
take
the
sign
off,
and
so
the
practical
effect
of
that
is
is
that
you
we
are
our
abstract
value
range
is
fixed,
it
can't
be
or
great
or
if
your
implementation
so
chooses,
and
it
is
smaller
than
252-
it's
it's.
F
You
know,
because
you
need
to
chop
a
digit
off
effectively,
and
so
we
went
back
and
forth
on
that
and
if
you
scroll
to
the
very
last
message
here,
I
think
yeah,
so
the
PRI
allows
up
to
19
digits.
You
know
if
you
support
that
many,
whereas
his
supports
15
digits,
and
so
it's
a
trade-off
and
I
think
the
trade-off
if
I
understand
the
RM
it's
being
made.
F
Is
that
by
constraining
the
number
of
digits
and
failing
if
it's
more
than
15
and
then
parsing
it
as
an
integer,
we
actually
get
more
reliable
behavior
we're
not
throwing
it
into
an
integer
parser
and
then
hoping
that
that
works
in
a
way
we
understand,
and
then
you
know
constraining
that
result
we're
doing
it
the
other
way
around
and
then
so
it's
more
predictable
and
I
like
that
property.
That's
a
good
property!
F
The
pH
K
makes
another
argument,
which
is
that
it's
easier
for
implementers
to
get
the
range
right,
because
it's
not
you
know
to
the
fifty-two,
it's
just
a
bunch
of
nines
which
I
personally
find
a
little
bit
weak
but
hey
whatever,
and
then
the
other
argument
is.
Is
that
I
think
you're
not
good?
He
says
you're
not
gonna
need
that
extended
range,
which
is
where
I
wanted
to
pro
people
and
see
if
they
felt
I
think
that
the
pH
case
proposal
makes
sense.
F
I
just
wanted
to
get
feedback
from
everybody
that
they
understand
what
we're
getting
into
here,
that
the
integer
type
in
structured
headers
is
going
to
a
fixed
range
and
that
if
people
need
numbers
bigger
than
that,
they're
gonna
have
to
do
something
else
like
stick
it
in
a
string
or
a
binary
or
come
up
with
a
new
structure.
Header
type,
which
might
be
completely
okay.
But
I
just
want
to
make
sure
that
this
is
where
our
eyes
open.
So.
U
U
F
Get
that
at
all
from
the
conversation,
my
understanding
was
that
he
wants
to
clamp
the
number
of
digits
and
generate
an
error
if
you
exceed
it
as
a
way
to
make
sure
that
whatever
you
feed
in
the
parser
is
what
we
think
it
is.
You
know.
So
you
know
I
think
you
do
a
filtering
for
non
digit
characters
number
of
digits
and
then,
if
that
all
passes,
then
you're
good
to
get
a
feed
it
into
a
parser.
F
U
V
M
15
digits
is
a
lot
of
favors
yeah
and
we
do
have
limits
in
other
other
protocols
that
that
sort
of
are
in
that
general
general
size
category.
Now
it
is
in
theory,
possible
in
a
even
in
a
protocol
like
quick
to
exceed
this
number
in
terms
of
counting
bytes
or
if
you
want
to
count
bits,
you
can
count
bits.
M
Milliseconds
nanoseconds.
You
get
a
pretty
long
way
with
with
with
15
digits
and
I'm
perfectly
comfortable
in
in
following
BHK
suggestion
here,
because
I
think
that
anyone
who
needs
anything
more
than
that
I
think
they
can
probably
get
by
with
the
string,
hack
or
the
different
type
hack
or
any
of
these
other
things,
and
this
is
pretty
straightforward.
Do
we
do
we
do
have
floating
point,
or
did
we
cut
that
I?
Think
we
don't
have
floating
point
Oh
China,
wavelets,.
O
M
Floats
yeah
yeah:
this
will
have
that
debate
separately,
venture
but
I
think
that
that's
if
you
want
to
go
really
big
sometimes
you
might
need
precision
on
that.
But
if
you're
talking
you
know
financial
things,
good
luck
to.
You
got
a
number
that
pink
by
the
way.
But
then
you
you're
going
to
have
to
build
special
data
structures
for
it
and
you're
gonna
know
that
you're
gonna
need
to
build
special
support
so.
B
M
F
So
my
reaction,
kazuto's
proposals,
nervousness
because
I
think
it
might
suffer
in
places
that
matter
and
yeah.
So
it's
a
just
a
concrete
example.
If
you
are
running
over
quick
and
you
want
to
represent
a
stream
identifier,
you
can't
do
it
with
an
integer
here
and
and
I
think
I'm.
Okay,
with
that,
too,
like
I
said,
you
can
come
up
with
a
big
into.
If
you
want
later
on,
you.
W
Brian
sniffing
my
concern
here
is
that
if
the
limit
is
there,
some
people
will
lazily
build
parsers
that
just
parse,
whatever
JavaScript
naturally
represents,
and
so
there
will
be
some
messages
that
are
interpreted
in
some
place
as
a
against
it
fits
it
doesn't
fit
in
this
and
some
places
as
a
string,
and
so
that's
going
to
get
complicated
and
then
eventually
exciting.
So.
W
F
So
this
is
the
wonderful
thing
we're
trying
to
do
with
SH
is.
Is
we
really
really
really
really
mean
it
that
you
be
strict
in
parsing,
and
so
all
the
parsing
is
specified
by
algorithm
and
we
have
a
test
suite
to
prove
that
people
actually
follow
the
algorithms
it's?
Yes,
it
is
a
bit
of
a
game
of
chicken.
Somebody
might
go
out
there
and
create
the
permissive
structured
header
or
parser
and.
I
Before
I
again,
I
just
have
a
Metacomet
that
the
idea,
as
I
understood
it
originally,
was
to
simplify
the
processing
of
HTTP
message
handlers
by
proving
them
a
more
regular
grammar.
I
I
do
not
in
any
circumstances
understand
why
the
you
would
need
this
kind
of
data
in
a
header
field.
Now
I
could
understand.
Having
large
numbers
I
can
understand.
Having
binary
values.
I
can
understand.
I
Having
utf-8
very
large
strings
of
digits
doesn't
make
any
sense
to
me
whatsoever
because
there's
a
point
at
which
just
put
it
in
base64,
otherwise
you're
sending
too
many
characters,
I
mean.
Obviously
people
don't
read
these
numbers.
So
what
it
sounds
like
your
agreement
of
the
phk
approach,
then
okay,.
M
But
mark
mention,
if
you,
if
you
just
happen
to
have
two
to
the
61
or
so
quick
streams,
and
you
wanted
to
identify
them.
You
won't
be
able
to
oh
well
when
you
think
about
what
it
takes
to
get
to
to
the
61
or
in
the
order
of
261
streams
into
a
quick
connection.
You'll
you'll
realize
that
you've
run
out
of
packet
numbers,
and
so
it's
it's
kind
of
academic.
Well,.
F
F
C
Y
Y
One
is
the
missing
cert
problem,
where
you've
been
able
to
the
attacker
has
been
able
to
induce
a
CA
to
issue
a
certificate
with
your
name
on
it
and
then
can
go
and
get
somebody
to
connect
to
them.
Thinking
that
they're
actually
connecting
you
and
the
other
one
is
that
you
get
a
legitimate
cert
and
it's
compromised
and
is
easier
to
use,
because
you
can
go
deploy
it
on
your
site
and
send
it
over
secondary
certs.
So
long
as
you
have
the
appropriate
private
key.
Y
So
when
we're
talking
about
what
you
need
to
do
in
in
both
of
these
cases,
if
you
want
to
pick
up
an
attack
traffic,
you
have
to
be
able
to
subvert
either
IP
routing
or
dns
resolution
in
the
normal
case
and
we're
trying
not
to
create
that
situation
with
secondary
search.
We
don't
want
to
make
the
problem
worse,
but
make
it
easier
for
attackers
next
slide.
Y
So
next
slide.
This
is
what
it
looks
like
on
a
CDN
where
the
CDN
has
to
have
some
kind
of
a
bridge
cert
that
can
require
whatever
the
primary
cert
was
and
then
that's
the
thing
that
all
of
these
secondary
certs
that
it's
going
to
present
from
other
customers
in
Java.
So
we
talked
about
this
last
time.
This
seemed
generally
acceptable,
but
it
has
one
major
failing
big
slide,
which
is
that
it
really
only
fixes
one
of
the
two
problems
we're
talking
about.
Y
If
you
have
a
compromised
certificate,
that's
legitimate.
The
certificate
was
originally
issued
as
saying
it
is
only
able
to
be
used
on
my
CDN
somebody
compromises.
It
gets
that
private
key.
They
still
can't
use
it
as
a
private
as
a
secondary,
cert
anywhere
else,
because
it's
bound
to
that
CDN
and
if
they
bring
it
back
to
that
CDN,
presumably
they
will
notice
that
they
have
a
second
customer
presenting
a
certificate
for
the
same
domain
and
alert
someone
that
that
might
be
an
issue.
Y
So
the
problem
that
we
don't
have
a
solution
for
yet
is
what
happens
with
Michigan,
with
Miss
issued
certs,
where,
if
the
attacker
is
able
to
get
the
CA
to
sign
anything,
they
want,
they
can
put
anything
they
want
in
the
certificate
and
nothing
we
define
to
be
added
to
the
certificate
can
stop
them
next
slide.
So
remember
the
problem
that
we're
trying
to
deal
with
is
this
is
an
induced
navigation.
Now
you
don't
have
to
put
the
attackers
domain
in
the
same
search.
H
Y
So
the
issue
in
the
issue
here
is
that
without
secondary
search,
if
somebody
were
to
go
and
miss
issue,
a
search
that
jointly
covered
victim,
calm
and
attacker
calm,
and
they
could
get
you
to
click
on
a
link
to
attacker
calm,
then
you
know
the
owner
of
victim.
Calm
would
be
checking
CT
logs
for
things
that
reference
their
domain,
find
that
cert
and
have
it
revoked
now.
The
difficulty
with
secondary
search
is
you
no
longer
have
to
put
attacker.com
in
the
missus
victim
concert,
so
you
haven't
really
changed.
Y
So,
let's
solve
the
compromise
certificate
issue
with
the
PR
that
we
already
have
and
move
on,
or
we
now
think
that
this
is
a
problem
and
we
think
that
we
are
maybe
reversing
ourselves
from
8
336
or
we
need
some
other
kind
of
guarantee
there,
in
which
case,
let's
fix
it.
Both
lists
so
next
slide
I
think
we
need
to
have
a
discussion
about
which
of
we
have
two
axes
here
of.
R
I'm
just
trying
to
think
through
the
defense
you're
proposing
for
or
the
first
defensive
proposing
sure
can
you
go
back
to
the
slide.
Please
sorry.
R
Yes,
no
even
better
good,
good,
good,
okay,
so
so,
as
I
understand
it.
The
way
this
works
is
that
what
I
want
a
secondary
search?
It's
gotta
have
a
trivial
version.
It's
gotta
have
lists
the
name
of
some
of
some
primary
search,
which
has
to
be
previously
displayed
right,
that's
to
already
be
proven
on
the
connection,
yes
right,
and
that
if
this
is
intended
to
fend
defending
against
this
defend
against
the
scenario
where,
where
the
certificate
it
was
difficult,
all
right,
yes,
okay
and
so
ends.
The
ends
of
the
concept
is
the
concept
here.
R
Is
it
that
certificate
presume
that
the
height
of
the
DNS
for
that
certificate
I
mean
well
when
I
break
this,
when
I
break
into
the
CDN
and
I
steal
like
the
secondary
search,
I
stole
auto
service
right
I
said
all
the
private
keys
right,
so
I
got
them
all,
but
the
assumption
is
that
I
would
have
to
have
gone
to
the
DNS
for
the
primary
right.
Whatever.
Z
Y
Y
So
say:
I,
don't
remember
if
I
have
okay
yeah,
so
we
have
the
to
two
discussions
here
of
focusing
on
just
the
compromised
cert.
Are
we
3rd
IETF
having
basically
the
same
proposal?
Are
we
comfortable
that
for
that
problem?
This
is
the
right
solution,
or
do
we
have
other
things
that
we
should
do
instead
and
for
the
compromised
circuit
for
the
miss
issued
cert
case?
Y
Do
we
have
other
questions
here
of
exactly
how
we
want
to
handle?
This
I've
heard
some
suggestions
in
hallway
conversations
this
week
meeting.
Maybe
we
want
to
require
a
CAA
record
to
bind
you
to
a
particular
CA
so
that
you
know
you
reduce
the
scope
of
your
miss
issue
and
I,
see
that
bringing
lots
of
people
to
the
microcell
actually.
AA
Before
we
go
there,
I
want
to
ask
this
is
Nick
Sullivan
CloudFlare
I
want
to
go
back
to
the
slide
where
you
have
required
star
and
I'd
like
to
ask
whether
or
not
required
star
bypasses
this
ability
to
track
down
a
minute,
a
stolen
certificate
or
it
having
required
star.
AA
Y
AA
Right
so
yeah
I
just
want
clarify
that
point
and
and
then
the
other
piece
is
yes,
as
you
suggested,
there
are
four
some
types
of
certificates
such
as
signed
exchanges,
additional
requirements
to
validate
something
in
the
CAA
record,
so
that
it's
much
more
difficult
to
mission.
Miss
issue
I
think
that
might
be
a
potential
helpful
situation
here
for
any
certificate
that
has
it
requires
in
it.
Yeah.
Y
M
So
mutton
Thompson
I,
like
the
CAA
thing,
is
a
belt
and
suspenders
and
glue
option
here.
I
think
that
the
simplification
that
we're
looking
for
this
is
already
a
lot
simpler
than
what
we
saw
in
in
Bangkok.
The
simplification
is
to
take
that
requires
star
option
away
and
and
have
it
you
have
CDN
comm
in
customer
one
comm
certificate
and
therefore
every
everyone
else
can
just
point
to
that:
I'm,
not
sure
that
what
the
star
is
providing
I've
based
on
a
second
look
at
this
one.
So.
Y
Y
M
Y
H
Oh
Watson
light
here
from
CloudFlare
I'm
a
bit
concerned
with
the
fact
that
we're
looking
at
Miss
issuance
and
saying
that
well
through
some
issues
insert
we
have
no
indication
of
what's
going
on,
and
this
is
very
surprising
to
me.
I
thought
CAS
had
to
keep
records
of
all
their
issuances,
explain
why
they
issued
the
certs
and
if
they
couldn't
provide
those
records-
and
there
was
a
problem,
then
the
banhammer
falls
on
them,
and
so
there's
I'm
just
a
little
confused
by
the
miss
issuance.
H
H
H
M
So
someone
Thomson
one
of
the
principles
that
we
used
with
doing
this
musician
once
thing
is,
is
not
so
much
worrying
about
those
sorts
of
columns.
Yes,
people
can
hijack
bgp
and
they
can
do
DNS
things,
but
the
the
key
here
is
understanding
that
there's
there
are
a
lot
of
these
records
that
are
produced
and,
yes,
everyone
is
ordering
these
things,
but
they
can
only
order
this
audit,
those
things
to
the
extent
that
they
are
auditing,
those
things
and
the
people
doing
the
auditing
might
not
have
any
more
information.
M
That's
relevant
to
the
particular
scenario
than
the
person
who
was
issuing
the
certificate
in
the
first
place,
and
so
the
reason
that
you
want
that
one
of
the
principles
driving
this
is
saying.
Well,
if
I'm,
the
owner
of
a
of
a
domain,
I,
can
look
at
the
CT
logs
and
get
alerts
for
things
that
I
would
generate
it
and
I'm,
really
the
only
one
who
knows
that
I
have
requested
a
certificate
be
issued
for
the
for
that
name,
and
if
that,
if
something
appears
that
doesn't
appear
in
your
database,
you
can
then
take
action.
M
And
so
there's
there's
layers
of
defense
that
we're
talking
about
here,
and
this
is
probably
why
we
don't
want
to
have
things
like
the
requires
star
in
here
too
often,
and
we
probably
want
to
have
some
rather
extraordinary
circumstances
under
which
that
is
issued,
because
it
removes
that
that
breadcrumb
trail
that
you're
talking
about
right.
It's.
R
R
Is
on
but
like
so
so
I'm
like
I
want
my
I'm
gonna
get
my
my
my
certificate.
You
know
hosted
by
like
some
CD
yeah
right
I
mean
my
site.
Is
presidency
yeah,
so
I
get
a
certificate
and
when
I
wave
you
I
want,
is
that
you
know
that
they
went
to
the
CDN
to
visit
Missoula
calm
and
then
they
make
her
and
then
and
then
they
can
make
a
request
for
like
org.
R
If
I'm
not
right,
that's
that's
a
behavior
I
watch
and
but
like
as
I
understand
what
I
mean
unless
I'm
missing
something
like
the
the
set
of
the
means
they
come
in
on
is
like
random,
distributed
and
I
said.
It
means
they.
What
is
like
randomly
distributed,
which
means
that,
like
like
I,
just
understand
like
how
how
I
don't
end
up
with
require
start?
All
time
is
it
that
is
it
are.
They
spoke
to
some
other,
some
other
secondary
certificate.
R
The
hints
through
you
always
okay,
so
the
ideas
I'm
supposed
to
say,
like
I'm
supposed
to
say
my
thing:
CloudFlare
calm
and
then
when
the
on
and
then
when
they
and
then
when
they
and
and
then
to
enable
secondary
search.
Like
you
said
they
come
in
on
this
a
lot,
then
they
secondary
start
CloudFlare
and
then
finally,
the
2nd
distr
RTFM.
That's
the
idea
supposed
to
be
so
then
I,
don't
understand
why
you
need
the
start,
but
it
seems
like
seeing
as
you
publish
the
name
of
that,
damn
thing
well,.
Y
AA
So
the
situation
is,
there's
ten
different
sites
you
can
come
in
on
and
each
one
of
those
sites
can
have
any
of
you
know
a
thousand
secondary
certs.
So
if
you
had
star,
then
we
would
all
as
a
CBN,
you
would
only
have
to
issue
one
hinge
cert.
That
would
work
no
matter
which
one
of
those
ten
you
come
in
on
you.
AA
R
R
M
You
might
arrive
on
any
one
of
a
thousand
certificates
in
order
to
provision
the
seedy
ENCOM
certificate
and
in
order
for
the
client
to
add
CDN
calm
to
the
set
of
names
that
the
connection
is
good
for.
That
certificate
has
to
point
to
one
that
you
already
have
in
there
right.
So
you,
you
know
ABCD
efg,
that
has
to
point
to
every
single
one
of
them.
M
R
I
mean
I
mean
yes,
you
can
certainly
build
the
system
that
way,
but
like
that's
just
because
you've
got
like
some
mechanism.
You're
loading,
like
you
know,
just
like
just
treat
just
treat
the
proof
that
you
have
the
seat
that
the
the
like
the
enabling
serve.
That's
like
a
totally
separate
thing
like
so
so
the
I
mean
like
the.
What
like
what
I'm
suggesting.
R
Is
that,
basically,
that
the
you,
the
thing
you
say
requires,
has
some
like
long
ass,
like
random
name,
which
isn't
as
play
with
anything
which
camp
you
record,
which
can't
isn't
even
origin
right
and
I
mean
or
community,
but
in
other
words
you
actually
serve
the
offer
right,
and
then
you
prove
that
you
have
that
and
that
doesn't
suddenly
enable
the
secondary
circus.
Just
hang
out
right
and
all
it's
doing
is
enabling
the
other
things
and
they
don't
need,
require
strong
right.
C
Y
C
So
we
are
behind
on
the
agenda
somewhat
hopelessly
and
there's
a
reason.
We
organize
the
agenda
with
the
adopted
work.
First,
that's
flow
control
with
nothing
else,
for
our
ability
to
accept
new
work
and
so
to
anyone
that
isn't
going
to
make
it
in
today
you
have
my
personal
apologies,
but
that
is
the
priority.
Y
Y
Y
We
say
that
if
you
use
a
different
connection
protocol,
you
would
presumably
use
a
different
URI
scheme,
but
we
don't
know
what
that
would
look
like
and
also
it
is
the
authoritative
interface
for
HTTP
that
is
specific
to
TCP
all
right,
so
HTTP
and
HTTPS
are
specific
to
TCP
as
defined
next
one.
So
for
HTTP,
specifically,
we
say
that
it's
governed
by
a
potential
HTV
origin
server.
Listening
when
a
given
TCP
port
TCP
port
443
is
the
default.
So
where
does
that
leave
quick
htv-3?
Y
Y
What
constitutes
authority
next,
so
the
first
option
long
live
TCP
right
now
we
use
teat
million,
we
use
old
service,
so
you
have
to
connect
over
H
to
get
the
alt.
So
this
header
or
frame
back
and
then
you
have
an
alt
service
record
that
says
in
the
future.
You
can
use
H
3,
which
goes
over
quick,
ok
now
we
always
have
to
have
TCP,
always
in
forever,
until
we'd
find
a
way
of
getting
an
old
service
record
without
going
over
a
TCP
connection.
Y
First
gives
us
the
nice
property
that
we
can
get
a
quick
version
hint
along
with
the
old
service
record,
but
there
are
people
who
are
unhappy
about
this,
and
understandably
so,
if
you
get
an
HTTP
URI,
you
kind
of
like
to
be
able
to
use
the
latest
version
of
HTTP
HTTP
to
get
to
it,
except
we've
currently
defined
that
that's
not
an
option.
Next,
so
we've
looked
at
various
ways
of
mangling
the
URI
to
try
and
express
this
I
think
it
was
Martin
who
referred
to
number
2
as
a
disaster
of
nuclear
proportions.
Y
Y
Y
So
I
mean
some
of
this
is
future
future
looking.
Will
there
ever
be
a
quick,
only
server
that
doesn't
actually
have
a
TCP
endpoint?
What
does
it
mean
for
current
servers
that
don't
know
or
run
quick,
that
somebody
can
listen
on
a
UDP
port,
even
privileged
one,
and
become
Co
authoritative
with
the
process
that
thinks
it's?
Y
There
are
a
lot
of
issues
to
be
weighed
here
and
I
think
we
need
to
make
a
decision
about
what
is
the
right
way
to
declare
an
h3,
endpoint,
authoritative
for
Europe,
because
right
now
we
have
some
arguments
that
h3h
to
Co,
authoritative,
they're,
all
the
same
content
versus
you
have
to
have
an
authoritative
delegation
and
the
start
of
authority
is
that
tcp
point
is
defined.
So
let
the
spec
floor,
your
spec
flooring
begin
so.
Q
Just
one
kind
of
clarifying
question
to
the
group:
that's
going
through
the
line
about
what
is
the
question
to
the
group,
I
could
kind
of
see
it
decomposed
potentially
into
two
separate
parts.
There's
the
first
bit
of
saying
can
HTTP
like.
Will
we
allow
that
to
be
used
for
UDP
because,
like
you
could
imagine
a
schema
which
out-of-band
like
with
alt
serve?
Q
Y
M
Who's
gonna
jump.
The
queue
based
on
the
first
half
of
that
sentence
makes
me
worry,
Martin
Tolson,
so
it
turns
out
that
HTTP
kind
of
always
aspired
to
being
able
to
resolve
different
types
of
your
eyes,
and
so,
when
we
put
an
HTTP
URI
into
a
quick
connection,
we're
not
doing
anything
more
than
that.
The
question
that
we
need
to
ask
ask
ourselves
is
whether
this
is
actually
someone
we
should
be
sending
that
request
to
in
the
first
place-
and
this
is
really
the
question
that
web
we're
asking.
M
If
you
think
about
the
way
that
this
is
in
the
domain,
fronting
scenarios
that
happened
recently,
it
was
most
of
all
the
send
using
any
SNI
any
connection
to
these
servers.
You
could
send
a
request
for
some
resource
on
a
different
name,
so
you
would
connect
on
a
and
then
you
would
make
a
request
for
B,
and
it's
also
possible
that
you
might
say
have
a
connection
to
one
port
and
then
you
make
a
request
for
a
service
that
is
ostensibly
on
another
port.
So
we
have.
All
of
these.
M
Things
are
possible
and
some
of
them
are
possible
because
attackers
can
change
which
TCP
port
number
come.
A
request
comes
in
not
that
this
is
not
authenticated
in
any
way,
but
the
way
that
we
deal
with
this
is
we
have
the
host
header
field,
which
contains
the
clients,
understanding
of
who
the
request
was
directed
towards
and
the
server
can
use
this
information,
which
is
now
authenticated
to
determine
whether
or
not
it
wants
to
answer
the
request.
Obviously
it
all
these
servers
can
all
the
servers
on
the
site.
The
same
name
can
answer
the
request.
C
R
So
I
guess
a
couple
observations.
You
know
a
bottom
of
the
bowl.
As
those
you
know,
various
URI
of
options
you
presented
were
the
bottom
of
the
bullseye.
Actually,
the
first
problem.
The
first
problem
is
any
of
those
you
are
any
any
any
one
of
those
like
that
is
not
like
backward
compatible
with
existing
HTTP
your
eyes,
like
a
non-starter,
because
no
sane
person
is
no
same
first
things
like
for
the
URI
like
EPQ.
Nobody
can
dereference
so.
N
R
R
Don't
we'll
come
kill
me
if
we
kind
of
shove
it
somewhere
that
it
didn't
agree
in
the
in
a
career
program,
so
I
think
that's
it
basically
they're
all
kind
of
monsters,
maybe
sometimes
you
put
RIT
than
I
do,
but
so
I
think
we're
kind
of
between
like
like
so
the
real
question
is
like:
is
it
reasonable
give
an
HTTP,
URI
they're?
Just
like
you
know,
I
only
try,
quick
without,
like
any
other
indication
that
it's
that's
cool,
right
and
I.
R
Guess
I'm
not
here,
like
spec
lawyer
you
about
like
what
the
specs
actually
say.
Cuz
like
we're
allowed
to
do
anything
what
we
can
take
up.
The
specs
like
we
have
to
be
concise,
etcetera
right,
so
I'm
gonna
make
two
arguments.
The
first
is
that,
as
a
matter
of
like
you
know,
architectural
philosophy,
like
the
minute
we
decided
like
connection
coalescence
without,
like
you
know,
without
without
dienasty,
reference
was
like
cool.
R
We
like
gave
up
on
the
idea,
I,
don't
like
that,
actually
mattered,
but
anything
other
than
certificate
actually
met,
and
so
the
so
so
the
relevant
thing.
The
relevant
proof
that
you're
willing
to
like
it's
really
willing
to
be
this
host
is
that
fact
that
you
have
a
certificate
and
the
host
name
in,
and
that
is
true
and
that's
just
as
true
and
quick
as
it
isn't
as
an
issue
ordinary
tea.
R
She
goes
over
TLS
and
if
that's
the
same
source-
and
it's
like
that's
the
same
like
her
to
graph
reportable
right
so
so
from
that
perspective,
I
think,
like
the
natural
answer
really
here
is
if
you're
gonna
htps
like
totally
just
right,
quick
and
like
people
who
don't
like
wanna
support.
Quick,
like
you
know,
don't
this
work,
quick
and
people
don't
wanna,
some
or
quick
and
somewhat
like
some
of
them.
You
know
only
one
have
personal
quick
to
find
somewhere
throttle
and
like
isn't
all
service
I
mean.
So
what's
it
like?
K
Tenor
nail
trying
to
be
really
quick.
The
number
two
we
actually
tried
in
the
past
doing
this
decoration
for
the
late
and
much
beloved
iris
protocol,
which
included
a
number
of
different
transports,
including
the
much
lamented
and
deadbeat.
It
was
a
disaster
not
of
nuclear
proportions,
because
iris
was
never
popular
enough
to
be
nuclear
proportions,
but
it
was
an
utter
and
complete
disaster
for
the
the
scope
of
the
protocol
that
was
involved
with.
Don't
do
that?
It's
horrible!
Please
stop
don't
for
option.
Three
I
agree
with
most
of
what
Acker
said.
K
There's
only
one
thing
I
would
I
would
say
here
is
there
may
at
some
point,
be
some
use
for
having
a
URI
that
that
tells
you
that
something
doesn't
speak
TCP
and
therefore
it
is
not
worth
doing
happy
eyeballs
to
it,
but
I
think
that
this
is
far
enough
in
the
future
that
you
could
all
service
in
the
other
direction.
If
we've
gotten
to
happen,
happy
eyeballs
there
to
say,
hey,
I'm
gonna
start
putting
up
quick
and
telling
you
that
there's
also
a
TCP
or
not
telling
you
that
so
I
really
don't
think.
K
There's
any
reason
not
to
go
for
this
is
the
baseline
expectation
and
I
realized
that
it's
not
what
your
ice
pack
said,
but
having
worked
in
the
URI
registration
game
for
some
time
now
we
moved
from
trying
to
make
the
spec
gate
how
your
eyes
worked
to
recognizing
how
people
were
actually
deploy
them
over
time
and
I
think
this
fits
squarely
in
that
in
that
change.
Right.
U
F
Next
one
geez
yeah-
this
is
fine,
so
the
word
potential
there
is
is
very
important
it.
It
means
that
you
don't
actually
have
to
go
and
make
a
TCP
connection.
It's
just
establishing
Authority
for
that
URI
I.
Don't
think
this
needs
to
change.
I
disagree
that
we
need
to
do
number
three,
because
the
only
time
we
need
to
consider
this
is
when
we
deprecate
HTTP
one
HTTP,
1.1
and
HTTP
2,
because
they
are
all
still
running
they're,
all
still
established
in
the
authority.
I,
don't
think
we're
gonna
need
this
for
the
foreseeable
future.
Z
Z
E
Akamai
so
I
wanted
us
to
think
about
the
primary
principles
that
we
should
be
having,
if
you
should
basically
don't
break
the
internet
and
right
now
and
I,
don't
want
to
be
a
protocol
lawyer
and
try
to
figure
out
the
meaning
what
particular
world
to
put
more
meaning
on
and
less
but
right
now,
quick
is
very
young.
It's
almost
well,
some
people
can
say
it
doesn't
really
hear
to
exist.
Implementations
and
you'll
have
operators
who
are
trying
to
try
it
out
and
they
will
try
to
roll
it
out.
E
They
will
want
to
be
able
to
control
how
they
roll
it
out
because
they
will
know
there
are
bugs
performance
problems,
interrupt
problems
and
potentially
loading
the
infrastructure
problems.
So
whatever
we
wanna
do
here,
we
shouldn't
just
say:
let
it
happen.
I
ball
right
now
and
or
if
you
want
to
do
it,
the
clients
wouldn't
implement
it,
because
the
eyeballs
will
definitely
be
not
happy.
F
K
Avoid
talking
about
so
the
alway
talking
about
that
the
happy
eyeballs
one
which
I
would
+1
to
the
risks
there,
but
the
I
think
for
these
two
cases,
one
of
the
key
there's
a
normal
case,
and
there
is
the
custom
client
case,
I.
Think
for
the
ethically
for
the
custom
client
case
where
the
client
and
server
really
want
to
use
a
quick
for
something
and
only
support,
quick
I,
think
that
might
be
worth
separately.
K
E
E
K
Think
for
the
youth
for
the
web
case
with
airport
web,
the
I
think
DNS
is
an
area
we
may
want
to
start
looking
at
it
and
I
think
there's
a
bunch
of
areas
around
right
now
and
like
the
the
on
DNS
ops,
there's
a
male
probably
once
a
month
of
people
saying
why
don't
those
damage
DP
people
use
SRV
records
or
make
their
life
easier.
The
it
may
be
that
between
yes
and
I
keys,
the
a
name
stuff.
AB
Hi
Lukas
Marty,
so
the
old
service
options.
One
of
the
potential
ways
you
might
want
to
employ
this
is
to
have
a
kind
of
matchmaking
or
much
making
a
broker
service.
So
something
listening
on
TCP,
that's
intended
to
design
a
handoff
to
different
quick
end
points,
but
the
question
of
load
is
really
interesting
in
in
this
perspective,
because
although
it
should
be
fully
authoritative
and
answer
to
everything,
it
doesn't
want
to,
and
so
scaling
of
these
things
where
we
want
quick
to
handle
most
traffic
and
not
have
something
scale
to
handle.
AB
Tcp
traffic
at
those
levels
is
difficult
and
so
those
options
with
DNS
they're
quite
interesting,
because
if
you
never
hit
an
origin
of
TCP
and
you
well,
if
you
do
hit
an
origin
of
TCP
and
quickly
go
over
to
quick,
we
need
to
think
about
the
fallback
story
and
by
the
clients
what
they
do
that
if
they
have
nothing
to
fall
back
to
because
they
got
an
answer
from
DNS
to
me.
That
seems
like
a
better
way
to
transition
into
this
quick
future.
I
E
I
Deliberately
intended
to
allow
this,
it
is
a
mapping
from
identifiers
to
delegated
naming
authorities.
It's
not
an
instruction
to
go
use
HTTP
on
TCP
port
80,
whatever,
above
that,
it's
not
that's,
not
what
it
says.
It
deliberately
allows
this
option
3
and
the
this
is
in
HTTP
core.
We
have
an
issue
194,
which
is
currently
discussing
this.
Yes,
we.
I
So
we
should
refer
to
that
I'm
talking
about,
and
for
me,
the
only
thing
that
really
matters
is
whether
the
result,
whatever
we
do,
is
consistent
with
the
social
requirements
of
HTTPS,
which
is
that
the
communication
be
authenticated
with
the
intended
Authority
before
you
start
sending
requests
and
an
decrypted
without
authority
and
near
as
I
can
tell
after
our
discussion,
we
had
Martin
earlier,
that's
sufficient
and
only
sufficient
to
rely
on
the
the
certificate
that's
provided.
So
we're
left
with
the
decision
is
like
well.
L
Eric
Kinnear
Apple
I
I
would
reiterate
that
I
have
a
very
strong
interest
in
being
able
to
just
up
and
connect
without
having
another
source
of
information.
But
that
being
said,
when
other
sources
of
information
are
available,
I
definitely
planning
on
using
them
and
and
and
doing
that
and
in
the
interest
of
keeping.
This
short
I
will
mostly
just
agree
with
what
ekor
said
in
that.
The
incentive
structure
is
already
correct
for
doing
kind
of
the
right
thing
here,
as
quick
becomes
not
super
available
to
very
equally
available
to
maybe
even
mostly
available.
S
Tomorrow,
a
chunk
of
curry,
juleps
or
I
got
with
the
guts
to
the
option.
Three
I
want
to
point
out
that
for
a
decade
already
huge,
an
unexpected
amount
of
for
UDP
packets
of
almost
an
MTU
size
coming
to
the
port.
443
was
always
a
good
sign
of
a
DDoS
attack
and
it's
actually
used
as
a
detection
method,
so
I
believe
the
option.
Three
heavily
violates
the
principle
less
surprise
and
can
cause
some
potential
false
positives
in
real
life.
I.
Y
F
Let's
go
proxy
status
news
draft
next
slide.
Squid
gives
proxy
errors
in
this
format.
Next
slide.
Fastly
has
documentation
about
how
to
proxy
errors
in
this
format
next
slide.
This
is
how
Claire
does
it
using
HTTP
status
codes,
go
Claire
flare,
taking
them
all
next
law,
I'm,
not
gonna,
talk
about
how
bad
that
is
because
I
love,
my
fellow
colleagues
next
slide.
This
is
how
it
is
done
in
Oh.
This
is
Google
cloud.
Thank
you
next
slide,
and
this
was
a
so
I
wrote
up.
F
Who
wrote
how
to
do
this
for
Envoy
and
we
started
talking
and
he
came
on
as
a
co-author,
and
we
came
up
with
next
slide.
This
draft,
which
is
right
right.
Let
me
go
after
speed,
come
on
as
we
came
up
with
spec
next
slide.
These
are
some
examples.
It's
a
response,
header
that
are
a
proxy
of
some
intermediary
excuse.
Me
can
put
on
two
responses
to
explain
why
it
generated
an
error
response
or
otherwise
adorn
the
response.
F
Even
if
it's
successful
from
the
origin,
it's
still
in
progress,
we
still
have
a
few
open
issues
against
it,
but
I've
talked
to
a
few
people
about
it.
It
seems
like
people
like
the
idea
of
doing
one
things
one
way
instead
of
15
different
ways,
and
so
next
slide.
I'm
asking
is
this
interesting
and
do
we
want
to
adopt
it.
J
F
I
Sure,
well
now
you
just
displayed
that
I
didn't
see
it
before.
You
definitely
want
to
make
that
cash
status.
The
other
yeah.
F
Q
Q
C
We
got
time
we
have
time
for
one
more
left
in
our
show
today,
so
the
update
on
HB
2
is
transport
from
here
yeah.
If
you
take
right.
AB
L
All
right,
super
lightning
speed,
I'm,
Erica,
Lewis
microphone
is
great
I'm
Eric
Kinnear
from
Apple.
We
talked
about
this
a
little
bit
in
Bangkok
and
it
looked
very,
very
different
than
so.
Thank
you
for
all
the
feedback,
because
some
of
that's
been
incorporated,
and
some
of
that
is
pending
on
being
incorporated.
So
there
are
several
gaping
holes
here
that
we
will
totally
fill
in.
L
We
talked
about
this
in
TS
vwg,
so
you
can
go
watch
that
if
you
want
more
details
which
is
gonna,
make
us
go
even
faster
right
now,
but
effectively
we're
trying
to
do
a
bunch
of
stuff
that
lets
us
use
h
to
to
share
multiple
streams.
That
would
otherwise
be
separate
transport
connections.
So
we
want
that
all
on
one
transfer
connection,
and
that
brings
some
interesting
benefits
like
you've
already
got
this
connection
up,
and
so
you
have
this
nice
security
context,
that's
already
established
and
you
can
just
make
new
streams
over
it.
L
Everybody's
happy
there's
also
some
issues
with
that.
Like
you
now
introduced,
head-of-line
blocking
and
if
you're
gonna
be
doing
UDP
and
Datagram
transport,
you've
got
all
sorts
of
fun,
MTU
questions,
etc,
etc,
and
that
sparked
the
the
wonderful
thought
of
who
this
is
yet
another
way
to
tunnel
things
in
TS
vwg,
which
brings
in
a
whole
set
of
considerations
on
what
happens
when
you
tunnel
things
and
you
put
congestion
control
inside
congestion
control.
And
what
could
you
possibly
shoot
yourself
in
the
foot
with
so
we
asked
them
kind
of?
L
Where
does
some
of
this
work
belong
and
especially
in
the
newer
form?
That
is
very
issue
p
specific,
because
the
definition
of
how
to
do
this
is
very
specific.
They
said
it's
something
that
should
probably
be
covered
by
HP
bus',
but
at
the
same
time,
please
do
continue
discussing
it
in
TS
vwg,
especially
around
some
of
the
tunneling
and
transport
considerations
versus
the
specific
header
and
protocol
field,
values
that
that
the
spec
defines
me.
So
that's
the
update
from
TS
pwg
in
lightning
speed.
L
In
parallel
with
your
other
requests
and
responses,
you
can
bike
shed
wire
formats
for
framing
to
add,
UDP
and
that's
very
exciting
and
you've
got
these
nice
headers
that
you
can
add
other
things
too
so
like
WebSockets,
to
find
some
custom
headers
that
help
you
negotiate
WebSockets.
This
allows
you
to
add
that
to
any
of
these
requests
to
talk
about
what
the
next
protocol
will
be,
etc,
etc.
The
document
itself
defines
two
new
protocol
values
for
the
extended
Connect
handshake,
one
of
which
is
byte
stream,
one
of
which
is
Datagram.
L
Byte
stream
gives
you
a
new
stream.
So
when
you
send
this
to
the
server
saying
my
protocol
is
going
to
be
byte
stream,
plus,
presumably
some
way
to
know.
What's
going
to
be
used
on
that,
you
now
have
another
stream,
that's
in
parallel
with
your
other
requests
and
responses,
but
is
just
a
bi
stream
for
Datagram,
tossed
in
some
framing
you've
got
UDP.
It
goes
through
there's
some
concerns
that
have
already
been
raised
on
the
list.
Thank
you
for
those.
We
should
try
it
out.
Those
can
I
get
the
next
slide.
L
E
L
Some
of
that,
admittedly,
is
coming
from
TLS
and
TCP,
like
you
know,
retransmitting
losses
and
things.
So
we
make
a
new
setting
to
say:
hey
I
can
send
the
extended
connect
in
another
direction
to
open
a
stream
from
the
server
to
the
client,
and
if
you
do
that
and
write
some
other
text
about
exactly
the
mapping
and
frame
to
frame,
this
is
one
way
and
I'm
sure
there
are
a
great
many
others
in
which
you
can
use
this
to
run
protocols
that
would
run
on
quick
transport
over
here.
L
C
C
N
Just
like
school
hi,
I'm,
Felix,
I'm
gonna
try
to
do
this
in
like
two
minutes.
Next
slide:
I
work
on
Z
standard
at
Facebook
next
slide,
I
want
to
talk
about
improving
HTTP
response
body
compression,
in
particular
for
small
responses
using
an
external
dictionary.
Next
slide,
basically
compression
sucks
on
small
values.
Next
slide
using
it
using
an
external
dictionary,
can
make
compression
better,
especially
for
small
values.
Next
slide,
there
are
lots
of
possible
places.
N
You
could
get
this
external
data,
some
of
which
already
exists
that
you're,
already
handling
other
ways
would
be
dedicated
data
that
you
prepare
for
this
purpose
next
slide.
There
have
been
a
lot
of
proposals
in
the
past
that
explore
these
different
ways
to
source
data
and
use
it.
We
are
next
slide.
N
N
Sorry
next
slide,
yeah
compression
in
general
in
HTTP,
is
a
security
challenge.
I
think
we
all
know
this
and
it's
sort
of
an
open
topic
in
some
ways.
So
next
slide
we
are
working
on
exploring
Murray
and
I
I
should
say,
are
working
on
exploring
the
security
challenges
as
they
pertain
to
the
use
of
dictionaries
for
compression.
We
hope
to
have
this
draft
adopted
by
the
working
group
at
some
point.
I
think
there's
more
work.
N
We
need
to
do
before
that
happens
next
slide
and
then
the
other
thing
I
am
working
at
Facebook
to
deploy
a
dictionary
based
compression
system
to
our
traffic
between
our
infrastructure
and
our
mobile
apps,
we're
starting
with
a
static,
dedicated
dictionary.
We
hope
to
evolve
beyond
that,
and
we
hope
to
do
this
in
a
way
that
will
reconcile
with
some
future
standardized
way
to
do
this.
That
could
be
implemented
broadly.
We
expect
to
see
these
improvements
next
slide.
F
You
Felix
Brian
sniff
and
make
your
way
to
the
front.
Please
I
think
that
that
last
presentation
is
important.
We've
been
asking
for
this
sort
of
level
of
detail
for
a
while.
It's
there's
a
lot
of
interest
in
this
area.
So
please
do
continue
that
work.
People,
please
read
the
draft
and
we'll
hopefully
see
that
I
can
see.
Brian
go.
W
You
should
read
the
draft
next
slide
right
now.
Cd
ends
all
of
them
end
up
getting
pressured
by
their
customers
to
separate
the
world
into
a
place
where
everybody
can
see,
and
some
organizations
can
maybe
shame
people
like
new
sites
that
were
only
using
HTTP
into
using
TLS.
But
then
the
browser's
talk
to
the
CDN.
The
CDN
goes
forward
to
the
origin
and
an
alarming
number
of
origins
from
sites
that
might
terrify
you,
if
you
knew
insist
on
using
non
TLS
for
the
CDN
back
to
origin
connection.
Next
slide,
please
so.
W
We've
proposed
for
awhile
standardized
in
some
way
for
the
CD
ends
to
expose
to
the
front
to
where
everyone
can
see.
What's
going
on
behind.
Is
this
for
browsers
to
consume?
Next
slide?
No!
It's
not
because
if
the
browser's
block
missed
customers
are
just
gonna
push
on
lie
in
this
header
that
I'm
proposing
you
standardized
so
that
doesn't
help
anything
right.
W
Getting
this
adopted
requires
the
browser's
to
wait
until
the
tiger
is
well
and
fully
into
the
box
before
we
shut
the
door,
but
there
are
a
number
of
organizations
that
have
put
together
fantastic
dashboards
to
use
public
opprobrium
to
push
the
state
of
the
art
forward
for
this,
and
that's
what
I
want
to
enable
with
fastly
with
cloud
fire
with
Akamai
next
slide.
How
do
you
use
it?
It's
a
header,
you
use
it
like
this.
W
Original
versions
of
this
looks
something
like
the
top
one,
where
maybe
you
say
by
the
way
my
customers
doing
something
naughty
asking
the
CD
ends
to
do
that.
Maybe
that
works.
We're
gonna,
try
that,
but
maybe
there's
too
much
pressure
to
set
from
the
customer
to
say,
don't
advertise
that
I'm
doing
something
naughty,
omit
the
header
and
a
silent
signal
looks
like
good
behavior.
That's
not
so
great.
W
On
the
other
hand,
we're
moving
into
a
world
between
perfect
forward
secrecy
and
postponed
from
crypto,
where
we
can
advertise
that
the
protocol
to
the
origin
and
the
background
protocol
is
inside
these
complex
CD
ends
and
multi
host
networks
has
particular
good
features
and
it's
a
lot
easier
to
resist
pressure
to
lie
by
Commission,
instead
of
resisting
pressure
to
lie
by
omission.
So
we're
at
a
unusually
useful
point
to
introduce
a
header
like
this
and
try
to
push
some
of
these
origins
to
support
non
plaintiffs
communications
backwards.
W
Next
slide,
it's
also
an
opportunity
to
write
down,
what's
actually
safe
versus,
not
maybe
there's
some
things
that
you
can
do
to
be
less
bad
while
acknowledging
that
you're
sitting
horribly
as
you
do
this,
that's
all
I've
got
I'd
love
to
talk
to
other
CBN's
about
how
to
do
this,
and
if
there's
a
browser
who
thinks
that
they're
just
gonna
have
to
ship
something
that
red
flags
this
as
long
as
soon
as
I
put
that
header
there.
Let
me
know
now
so
I
can
save
my
time.
Thank
you
very
much
are.