draft-ietf-httpbis-replay-03.txt   draft-ietf-httpbis-replay-latest.txt 
HTTP Working Group M. Thomson HTTP Working Group M. Thomson
Internet-Draft Mozilla Internet-Draft Mozilla
Intended status: Standards Track M. Nottingham Intended status: Standards Track M. Nottingham
Expires: November 4, 2018 Fastly Expires: December 2, 2018 Fastly
W. Tarreau W. Tarreau
HAProxy Technologies HAProxy Technologies
May 3, 2018 May 31, 2018
Using Early Data in HTTP Using Early Data in HTTP
draft-ietf-httpbis-replay-03 draft-ietf-httpbis-replay-latest
Abstract Abstract
Using TLS early data creates an exposure to the possibility of a Using TLS early data creates an exposure to the possibility of a
replay attack. This document defines mechanisms that allow clients replay attack. This document defines mechanisms that allow clients
to communicate with servers about HTTP requests that are sent in to communicate with servers about HTTP requests that are sent in
early data. Techniques are described that use these mechanisms to early data. Techniques are described that use these mechanisms to
mitigate the risk of replay. mitigate the risk of replay.
Note to Readers Note to Readers
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 4, 2018. This Internet-Draft will expire on December 2, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 8, line 6 skipping to change at page 8, line 6
to include the "Early-Data" header field. to include the "Early-Data" header field.
A server cannot make a request that contains the Early-Data header A server cannot make a request that contains the Early-Data header
field safe for processing by waiting for the handshake to complete. field safe for processing by waiting for the handshake to complete.
A request that is marked with Early-Data was sent in early data on a A request that is marked with Early-Data was sent in early data on a
previous hop. Requests that contain the Early-Data field and cannot previous hop. Requests that contain the Early-Data field and cannot
be safely processed MUST be rejected using the 425 (Too Early) status be safely processed MUST be rejected using the 425 (Too Early) status
code. code.
The "Early-Data" header field carries a single bit of information and The "Early-Data" header field carries a single bit of information and
clients MUST include at most one instance. Multiple instances MUST clients MUST include at most one instance. Multiple or invalid
be treated as equivalent to a single instance by a server. instances of the header field MUST be treated as equivalent to a
single instance with a value of 1 by a server.
A "Early-Data" header field MUST NOT be included in responses or A "Early-Data" header field MUST NOT be included in responses or
request trailers. request trailers.
5.2. The 425 (Too Early) Status Code 5.2. The 425 (Too Early) Status Code
A 425 (Too Early) status code indicates that the server is unwilling A 425 (Too Early) status code indicates that the server is unwilling
to risk processing a request that might be replayed. to risk processing a request that might be replayed.
User agents that send a request in early data MUST automatically User agents that send a request in early data MUST automatically
skipping to change at page 10, line 24 skipping to change at page 10, line 24
Status: standard Status: standard
Author/Change controller: IETF Author/Change controller: IETF
Specification document(s): This document Specification document(s): This document
Related information: (empty) Related information: (empty)
This document registers the 425 (Too Early) status code in the This document registers the 425 (Too Early) status code in the
"Hypertext Transfer Protocol (HTTP) Status Code" registry established "Hypertext Transfer Protocol (HTTP) Status Code" registry located at
in [RFC7231]. https://www.iana.org/assignments/http-status-codes [5].
Value: 425 Value: 425
Description: Too Early Description: Too Early
Reference: This document Reference: This document
8. References 8. References
8.1. Normative References 8.1. Normative References
skipping to change at page 11, line 26 skipping to change at page 11, line 26
March 2018. March 2018.
8.2. Informative References 8.2. Informative References
[ALPN] Friedl, S., Popov, A., Langley, A., and E. Stephan, [ALPN] Friedl, S., Popov, A., Langley, A., and E. Stephan,
"Transport Layer Security (TLS) Application-Layer Protocol "Transport Layer Security (TLS) Application-Layer Protocol
Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301,
July 2014, <https://www.rfc-editor.org/info/rfc7301>. July 2014, <https://www.rfc-editor.org/info/rfc7301>.
[HQ] Bishop, M., "Hypertext Transfer Protocol (HTTP) over [HQ] Bishop, M., "Hypertext Transfer Protocol (HTTP) over
QUIC", draft-ietf-quic-http-11 (work in progress), April QUIC", draft-ietf-quic-http-12 (work in progress), May
2018. 2018.
[RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
Transfer Protocol Version 2 (HTTP/2)", RFC 7540, Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
DOI 10.17487/RFC7540, May 2015, DOI 10.17487/RFC7540, May 2015,
<https://www.rfc-editor.org/info/rfc7540>. <https://www.rfc-editor.org/info/rfc7540>.
8.3. URIs 8.3. URIs
[1] https://lists.w3.org/Archives/Public/ietf-http-wg/ [1] https://lists.w3.org/Archives/Public/ietf-http-wg/
[2] http://httpwg.github.io/ [2] http://httpwg.github.io/
[3] https://github.com/httpwg/http-extensions/labels/replay [3] https://github.com/httpwg/http-extensions/labels/replay
[4] https://www.iana.org/assignments/message-headers [4] https://www.iana.org/assignments/message-headers
[5] https://www.iana.org/assignments/http-status-codes
Acknowledgments Acknowledgments
This document was not easy to produce. The following people made This document was not easy to produce. The following people made
substantial contributions to the quality and completeness of the substantial contributions to the quality and completeness of the
document: David Benjamin, Subodh Iyengar, Benjamin Kaduk, Ilari document: David Benjamin, Subodh Iyengar, Benjamin Kaduk, Ilari
Liusavaara, Kazuho Oku, Eric Rescorla, Kyle Rose, and Victor Liusavaara, Kazuho Oku, Eric Rescorla, Kyle Rose, and Victor
Vasiliev. Vasiliev.
Authors' Addresses Authors' Addresses
 End of changes. 8 change blocks. 
9 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/