Re: CONTINUATION was: #540: "jumbo" frames from Michael Sweet on 2014-06-27 (ietf-http-wg@w3.org from April to June 2014)

From: Michael Sweet <msweet@apple.com>
Date: Fri, 27 Jun 2014 12:40:20 -0400
To: David Krauss <potswa@gmail.com>
Cc: Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
Message-id: <33D0B8E6-5D37-4E69-83F6-1BC8A7FCA10F@apple.com>

David,

On Jun 27, 2014, at 3:09 AM, David Krauss <potswa@gmail.com> wrote:
> 
> On 2014�06�27, at 2:29 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
> 
>> On 27/06/2014 2:22 p.m., Martin Thomson wrote:
>> 
>>> It's different with headers.  If we cap header size, then it becomes
>>> literally impossible to make some requests.
>> 
>> HTTP/1.1 header size is capped at 64KB by Squid. Other implementators
>> previously stated 4KB, 8KB and 16KB caps. What is new?
>> 
>> Ability to announce and negotiate a size will be added benefit for
>> HTTP/2 if accepted.
> 
> +1. Ignoring literally 99.98% of usage (add more 9�s for the 64K limit) is not only a mistake, it�s against the rules of any sane governing body.
> 
> Has anyone contacted the Kerberos guys? I know nothing about security but it makes sense that an authentication protocol wouldn�t worry about proxyability. Without proxies to worry about, the client can be sure that headers sent by HTTP/1 will only be received as HTTP/1, and authentication sent via HTTP/2 will only be received by a server expecting it. It becomes a non-issue.
> 
> RFC 4559 appears to cover the culprit and appears to suggest that it is MSIE. Perhaps a Microsoft rep on this list can find out whether HTTP/2 support for SPNEGO Kerberos will be needed?

As someone that has implemented RFC 4559, the only thing that is particularly proxy-unfriendly is the size of Kerberos tickets from ActiveDirectory, which is a result of having all of the group/acl stuff for a particular user account being embedded in the ticket.  We settled for supporting a maximum Authorization header size of 64k (which means we allow up to about 48k worth of ticket information Base64-encoded) - this is sufficient for most sites but we occasionally see organizations/users with larger tickets and they just break/don't work...

Unfortunately, Kerberos tickets can also only be used once, so delta compression isn't going to be any help.  Every request uses a new Authorization header value, so this (along with security concerns) is why my HTTP/2 implementation will only use the Literal Header Field Never Indexed encoding for the Authorization header.

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Friday, 27 June 2014 16:40:49 UTC