draft-ietf-httpbis-http2bis-03.txt   draft-ietf-httpbis-http2bis-latest.txt 
HTTPbis Working Group M. Thomson, Ed. HTTPbis Working Group M. Thomson, Ed.
Internet-Draft Mozilla Internet-Draft Mozilla
Obsoletes: 7540, 8740 (if approved) C. Benfield, Ed. Obsoletes: 7540, 8740 (if approved) C. Benfield, Ed.
Intended status: Standards Track Apple Inc. Intended status: Standards Track Apple Inc.
Expires: January 13, 2022 July 12, 2021 Expires: January 23, 2022 July 22, 2021
Hypertext Transfer Protocol Version 2 (HTTP/2) Hypertext Transfer Protocol Version 2 (HTTP/2)
draft-ietf-httpbis-http2bis-latest draft-ietf-httpbis-http2bis-latest
Abstract Abstract
This specification describes an optimized expression of the semantics This specification describes an optimized expression of the semantics
of the Hypertext Transfer Protocol (HTTP), referred to as HTTP of the Hypertext Transfer Protocol (HTTP), referred to as HTTP
version 2 (HTTP/2). HTTP/2 enables a more efficient use of network version 2 (HTTP/2). HTTP/2 enables a more efficient use of network
resources and a reduced perception of latency by introducing header resources and a reduced perception of latency by introducing header
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 13, 2022. This Internet-Draft will expire on January 23, 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 67, line 20 skipping to change at page 67, line 20
This effectively prevents the use of renegotiation in response to a This effectively prevents the use of renegotiation in response to a
request for a specific protected resource. A future specification request for a specific protected resource. A future specification
might provide a way to support this use case. Alternatively, a might provide a way to support this use case. Alternatively, a
server might use an error (Section 5.4) of type HTTP_1_1_REQUIRED to server might use an error (Section 5.4) of type HTTP_1_1_REQUIRED to
request the client use a protocol that supports renegotiation. request the client use a protocol that supports renegotiation.
Implementations MUST support ephemeral key exchange sizes of at least Implementations MUST support ephemeral key exchange sizes of at least
2048 bits for cipher suites that use ephemeral finite field Diffie- 2048 bits for cipher suites that use ephemeral finite field Diffie-
Hellman (DHE) [TLS13] and 224 bits for cipher suites that use Hellman (DHE) [TLS13] and 224 bits for cipher suites that use
ephemeral elliptic curve Diffie-Hellman (ECDHE) [RFC4492]. Clients ephemeral elliptic curve Diffie-Hellman (ECDHE) [RFC8422]. Clients
MUST accept DHE sizes of up to 4096 bits. Endpoints MAY treat MUST accept DHE sizes of up to 4096 bits. Endpoints MAY treat
negotiation of key sizes smaller than the lower limits as a negotiation of key sizes smaller than the lower limits as a
connection error (Section 5.4.1) of type INADEQUATE_SECURITY. connection error (Section 5.4.1) of type INADEQUATE_SECURITY.
9.2.2. TLS 1.2 Cipher Suites 9.2.2. TLS 1.2 Cipher Suites
A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the cipher A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the cipher
suites that are listed in the list of prohibited cipher suites suites that are listed in the list of prohibited cipher suites
(Appendix A). (Appendix A).
skipping to change at page 81, line 7 skipping to change at page 81, line 7
[FIPS186] NIST, "Digital Signature Standard (DSS)", FIPS PUB 186-4, [FIPS186] NIST, "Digital Signature Standard (DSS)", FIPS PUB 186-4,
FIPS PUB 186-4, July 2013, FIPS PUB 186-4, July 2013,
<http://dx.doi.org/10.6028/NIST.FIPS.186-4>. <http://dx.doi.org/10.6028/NIST.FIPS.186-4>.
[COOKIE] Barth, A., "HTTP State Management Mechanism", RFC 6265, [COOKIE] Barth, A., "HTTP State Management Mechanism", RFC 6265,
RFC 6265, DOI 10.17487/RFC6265, April 2011, RFC 6265, DOI 10.17487/RFC6265, April 2011,
<https://www.rfc-editor.org/rfc/rfc6265>. <https://www.rfc-editor.org/rfc/rfc6265>.
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, [HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", Work in Progress, Internet-Draft, Ed., "HTTP Semantics", Work in Progress, Internet-Draft,
draft-ietf-httpbis-semantics-15, Internet-Draft, draft- draft-ietf-httpbis-semantics-16, Internet-Draft, draft-
ietf-httpbis-semantics-15, March 30, 2021, ietf-httpbis-semantics-16, May 27, 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-
semantics-15>. semantics-16>.
[CACHE] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, [CACHE] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Caching", Work in Progress, Internet-Draft, Ed., "HTTP Caching", Work in Progress, Internet-Draft,
draft-ietf-httpbis-cache-15, Internet-Draft, draft-ietf- draft-ietf-httpbis-cache-16, Internet-Draft, draft-ietf-
httpbis-cache-15, March 30, 2021, httpbis-cache-16, May 27, 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-
cache-15>. cache-16>.
[QUIC] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based [QUIC] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000, Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021, DOI 10.17487/RFC9000, May 2021,
<https://www.rfc-editor.org/info/rfc9000>. <https://www.rfc-editor.org/info/rfc9000>.
12.2. Informative References 12.2. Informative References
[RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
Transfer Protocol Version 2 (HTTP/2)", RFC 7540, Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
DOI 10.17487/RFC7540, RFC 7540, DOI 10.17487/RFC7540, May DOI 10.17487/RFC7540, RFC 7540, DOI 10.17487/RFC7540, May
2015, <https://www.rfc-editor.org/rfc/rfc7540>. 2015, <https://www.rfc-editor.org/rfc/rfc7540>.
[RFC8740] Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740, [RFC8740] Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740,
DOI 10.17487/RFC8740, RFC 8740, DOI 10.17487/RFC8740, DOI 10.17487/RFC8740, RFC 8740, DOI 10.17487/RFC8740,
February 2020, <https://www.rfc-editor.org/rfc/rfc8740>. February 2020, <https://www.rfc-editor.org/rfc/rfc8740>.
[HTTP11] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, [HTTP11] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP/1.1", Work in Progress, Internet-Draft, draft- Ed., "HTTP/1.1", Work in Progress, Internet-Draft, draft-
ietf-httpbis-messaging-15, Internet-Draft, draft-ietf- ietf-httpbis-messaging-16, Internet-Draft, draft-ietf-
httpbis-messaging-15, March 30, 2021, httpbis-messaging-16, May 27, 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-
messaging-15>. messaging-16>.
[RFC7323] Borman, D., Braden, B., Jacobson, V., and R. [RFC7323] Borman, D., Braden, B., Jacobson, V., and R.
Scheffenegger, Ed., "TCP Extensions for High Performance", Scheffenegger, Ed., "TCP Extensions for High Performance",
RFC 7323, RFC 7323, DOI 10.17487/RFC7323, September 2014, RFC 7323, RFC 7323, DOI 10.17487/RFC7323, September 2014,
<https://www.rfc-editor.org/rfc/rfc7323>. <https://www.rfc-editor.org/rfc/rfc7323>.
[RFC3749] Hollenbeck, S., "Transport Layer Security Protocol [RFC3749] Hollenbeck, S., "Transport Layer Security Protocol
Compression Methods", RFC 3749, RFC 3749, Compression Methods", RFC 3749, RFC 3749,
DOI 10.17487/RFC3749, May 2004, DOI 10.17487/RFC3749, May 2004,
<https://www.rfc-editor.org/rfc/rfc3749>. <https://www.rfc-editor.org/rfc/rfc3749>.
[RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status
Codes", RFC 6585, RFC 6585, DOI 10.17487/RFC6585, April Codes", RFC 6585, RFC 6585, DOI 10.17487/RFC6585, April
2012, <https://www.rfc-editor.org/rfc/rfc6585>. 2012, <https://www.rfc-editor.org/rfc/rfc6585>.
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic
Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites Curve Cryptography (ECC) Cipher Suites for Transport Layer
for Transport Layer Security (TLS)", RFC 4492, RFC 4492, Security (TLS) Versions 1.2 and Earlier", RFC 8422,
DOI 10.17487/RFC4492, May 2006, RFC 8422, DOI 10.17487/RFC8422, August 2018,
<https://www.rfc-editor.org/rfc/rfc4492>. <https://www.rfc-editor.org/rfc/rfc8422>.
[PRIVACY] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [PRIVACY] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, Considerations for Internet Protocols", RFC 6973,
DOI 10.17487/RFC6973, RFC 6973, DOI 10.17487/RFC6973, July DOI 10.17487/RFC6973, RFC 6973, DOI 10.17487/RFC6973, July
2013, <https://www.rfc-editor.org/rfc/rfc6973>. 2013, <https://www.rfc-editor.org/rfc/rfc6973>.
[TALKING] Huang, L., Chen, E., Barth, A., Rescorla, E., and C. [TALKING] Huang, L., Chen, E., Barth, A., Rescorla, E., and C.
Jackson, "Talking to Yourself for Fun and Profit", 2011, Jackson, "Talking to Yourself for Fun and Profit", 2011,
<http://w2spconf.com/2011/papers/websocket.pdf>. <http://w2spconf.com/2011/papers/websocket.pdf>.
skipping to change at page 83, line 8 skipping to change at page 83, line 8
<https://www.rfc-editor.org/rfc/rfc8499>. <https://www.rfc-editor.org/rfc/rfc8499>.
[NFLX-2019-002] [NFLX-2019-002]
Netflix, "HTTP/2 Denial of Service Advisory", August 13, Netflix, "HTTP/2 Denial of Service Advisory", August 13,
2019, <https://github.com/Netflix/security- 2019, <https://github.com/Netflix/security-
bulletins/blob/master/advisories/third-party/2019-002.md>. bulletins/blob/master/advisories/third-party/2019-002.md>.
[I-D.ietf-httpbis-priority] [I-D.ietf-httpbis-priority]
Oku, K. and L. Pardue, "Extensible Prioritization Scheme Oku, K. and L. Pardue, "Extensible Prioritization Scheme
for HTTP", Work in Progress, Internet-Draft, draft-ietf- for HTTP", Work in Progress, Internet-Draft, draft-ietf-
httpbis-priority-03, January 11, 2021, httpbis-priority-04, July 11, 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-
priority-03>. priority-04>.
Appendix A. Prohibited TLS 1.2 Cipher Suites Appendix A. Prohibited TLS 1.2 Cipher Suites
An HTTP/2 implementation MAY treat the negotiation of any of the An HTTP/2 implementation MAY treat the negotiation of any of the
following cipher suites with TLS 1.2 as a connection error following cipher suites with TLS 1.2 as a connection error
(Section 5.4.1) of type INADEQUATE_SECURITY: (Section 5.4.1) of type INADEQUATE_SECURITY:
o TLS_NULL_WITH_NULL_NULL o TLS_NULL_WITH_NULL_NULL
o TLS_RSA_WITH_NULL_MD5 o TLS_RSA_WITH_NULL_MD5
o TLS_RSA_WITH_NULL_SHA o TLS_RSA_WITH_NULL_SHA
 End of changes. 12 change blocks. 
19 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/