ohai's People
Forkers
ioggstreamohai's Issues
Shorten introduction using text from OHTTP
I expect
To shorten abstract / introduction reusing text from OHTTP and RATELIMIT
oblivious-target syntax
I expect
- to define the oblivious target syntax (sf-integer, sf-string, ...)
Instead
it is specified the generic syntax sf-item
with some values, e.g. 0x01
. It is not clear whether it's a binary, integer or string value.
Move the problem analysis in a specific section
I expect
The analysis on possible errors requires Notational conventions. I'd move it in a subsequent paragraph, after notational convetions.
attack-severity refienement
I expect
attack-severity to have one of the severity values in this IANA registry https://www.iana.org/assignments/iodef2/iodef2.xhtml
Instead
is a sf-integer
FAQ section
I expect
- to add the following FAQ in an unnumbered section of the spec
FAQ
Q1. Why is the "ohai-target" option needed? Is it a "scope indication"? Why isn't it sufficient to return a plain RateLimit header?
By default intermediaries are not supposed to mess with RateLimit fields because they are intendedfor the user agent. the ohttp-target is an hint to clarify that it's for the proxy. Could even be ohttp-rcpt=proxy.I won't use the scope
term because it's overloaded (e.g. can be the resource target, an oauth scope, ...), so we must use an ohttp specific value.
Q2. Is this safe?
TBD
Bump ratelimit fields to -05
Q: Which is the different from the request and target resource
Question
the document states differences from the request and target resource.
The difference should be stated more clearly since the beginning of the document.
Who can generate "oblivous-target"?
Question
Who can generate oblivous-target
? Only Oblivous target resource or even Oblivous request resource?
Prevent Client identification: review
Comment
Section 5 is quite complex. I suggest reshaping it as follows
-
for each client, the O.R. maintains a score based on the number of total responses and the number of responses flagged with "2"
Example| client | flag | total | | --- | --- | --- | | c1 | 5 | 100 | | c2 | 120 | 125 |
-
throttling decisions SHOULD be enacted only when the overall number of requests is high enough to prevent
the risk of re-identification, and the number of flagged responses for a specific client is close to 100%
Proxy Feedback increases linking
Question
- does proxy feedback increase linking between client and target resource?
- OHTTP and ratelimit ref
Considerations
Some guidance is required here, as most of the obvious behaviors seem to result in increased linking. [..]
A rate limit targeted at specific "malicious" users makes this even worse.
Consider an approach where the oblivious request resource
informs the proxy of a proxy-wide rate limit (which will be enforced via HTTP 429),
and the proxy subdivides the quota among its users in whatever fashion it wishes.
RateLimit fields can be used to implement client tracking techniques:
for example a server can affect the timing of client requests
in such a way as to make the client identifiable.
Note that this might apply to other fields too (e.g. Retry-After).
Protection of content or of the whole message?
Question
- the spec says that Oblivious proxy protects HTTP content, that is only the payload. Does it protect only the payload or even headers and other message parts?
Markdown template
Question
- there's a github repository template for RFC, e.g. https://github.com/ietf-wg-httpapi/mediatypes that generates xml and github pages from markdown, and supports automatic posting to datatracker. Do you want to give it a try? It will allow you to write RFC faster.
Enumerate the terms imported from I-D.eitf-ohai-ohttp
I expect
to enumerate all the terms imported from ohttp
Instead
This document makes use of the terms defined in [I-D.ietf-ohai-ohttp]
and [RFC8941].
attack-severity should be a separate parameter
I expect
attack-severity to be a separate quota policy parameter
Use `ohai-` prefix for parameter
Suggestion
Why not using ohai- prefix (or something similar) for oblivious related parameters?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.