tireddy2 / ohai Goto Github PK

I expect

To shorten abstract / introduction reusing text from OHTTP and RATELIMIT

I expect

• to define the oblivious target syntax (sf-integer, sf-string, ...)

Instead

it is specified the generic syntax sf-item with some values, e.g. 0x01. It is not clear whether it's a binary, integer or string value.

I expect

The analysis on possible errors requires Notational conventions. I'd move it in a subsequent paragraph, after notational convetions.

I expect

attack-severity to have one of the severity values in this IANA registry https://www.iana.org/assignments/iodef2/iodef2.xhtml

Instead

is a sf-integer

I expect

• to add the following FAQ in an unnumbered section of the spec

FAQ

Q1. Why is the "ohai-target" option needed?  Is it a "scope indication"?  Why isn't it sufficient to return a plain RateLimit header?

By default intermediaries are not supposed to mess with RateLimit fields because they are intendedfor the user agent. the ohttp-target is an hint to clarify that it's for the proxy. Could even be ohttp-rcpt=proxy.I won't use the scope term because it's overloaded (e.g. can be the resource target, an oauth scope, ...), so we must use an ohttp specific value.

Q2. Is this safe?

TBD

Question

the document states differences from the request and target resource.
The difference should be stated more clearly since the beginning of the document.

Question

Who can generate oblivous-target ? Only Oblivous target resource or even Oblivous request resource?

@tireddy2

Comment

Section 5 is quite complex. I suggest reshaping it as follows

1. for each client, the O.R. maintains a score based on the number of total responses and the number of responses flagged with "2"
   Example

   | client | flag  | total |
   | --- | --- | --- |
   | c1 | 5 | 100 |
   | c2 | 120 | 125 |
   

2. throttling decisions SHOULD be enacted only when the overall number of requests is high enough to prevent
   the risk of re-identification, and the number of flagged responses for a specific client is close to 100%

Question

• does proxy feedback increase linking between client and target resource?
• OHTTP and ratelimit ref

Considerations

Some guidance is required here, as most of the obvious behaviors seem to result in increased linking. [..]
A rate limit targeted at specific "malicious" users makes this even worse.

Consider an approach where the oblivious request resource
informs the proxy of a proxy-wide rate limit (which will be enforced via HTTP 429),
and the proxy subdivides the quota among its users in whatever fashion it wishes.

RateLimit fields can be used to implement client tracking techniques:
for example a server can affect the timing of client requests
in such a way as to make the client identifiable.
Note that this might apply to other fields too (e.g. Retry-After).

Question

• the spec says that Oblivious proxy protects HTTP content, that is only the payload. Does it protect only the payload or even headers and other message parts?

Question

• there's a github repository template for RFC, e.g. https://github.com/ietf-wg-httpapi/mediatypes that generates xml and github pages from markdown, and supports automatic posting to datatracker. Do you want to give it a try? It will allow you to write RFC faster.

I expect

to enumerate all the terms imported from ohttp

Instead

This document makes use of the terms defined in [I-D.ietf-ohai-ohttp]
and [RFC8941].

I expect

attack-severity to be a separate quota policy parameter

Suggestion

Why not using ohai- prefix (or something similar) for oblivious related parameters?