The IESG has approved the following document: - 'Chunked Oblivious HTTP Messages' (draft-ietf-ohai-chunked-ohttp-08.txt) as Proposed Standard
This document is the product of the Oblivious HTTP Application Intermediation Working Group. The IESG contact persons are Paul Wouters, Deb Cooley and Mike Bishop. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-ohai-chunked-ohttp/ Technical Summary This document defines a variant of the Oblivious HTTP message format that allows chunks of requests and responses to be encrypted and decrypted before the entire request or response is processed. This allows incremental processing of Oblivious HTTP messages, which is particularly useful for handling large messages or systems that process messages slowly. Working Group Summary The WG discussed applicability and use-cases for chunked OHTTP early on, given that chunking changes the security and privacy properties of OHTTP while not providing the guarantees of a proxied TLS connection. Specifically, there were concerns about the lack of forward secrecy and replay protection as well as how interactivity introduced by chunking potentially enables timing attacks. The authors addressed these concerns by adding an [Applicability section](https://datatracker.ietf.org/doc/html/draft-ietf-ohai-chunked-ohttp-06#name-applicability) and adding text on [interactivity](https://datatracker.ietf.org/doc/html/draft-ietf-ohai-chunked-ohttp-06#name-interactivity-and-privacy), [forward secrecy](https://datatracker.ietf.org/doc/html/draft-ietf-ohai-chunked-ohttp-06#section-7) and [replay attack risk](https://datatracker.ietf.org/doc/html/draft-ietf-ohai-chunked-ohttp-06#name-message-truncation). There was also discussion of the [incremental nature of HTTP](https://github.com/ietf-wg-ohai/draft-ohai-chunked-ohttp/issues/19), motivating use of an HTTP "Incremental" header to get incremental forwarding. The draft now references the ["Incremental" HTTP header field](https://datatracker.ietf.org/doc/draft-ietf-httpbis-incremental/) draft which is also in IESG Review. Document Quality There are several existing deployments and implementations of Chunked OHTTP. [Cloudflare reported](https://mailarchive.ietf.org/arch/msg/ohai/xygArMZVfrSDtYvINHhYZHSGK1Q/) deployed implementations of both gateway and relay. [Apple also](https://datatracker.ietf.org/doc/minutes-120-ohai-202407260130/) has deployments of Chunked OHTTP for Private Cloud Compute and related AI features. There is an implementation by Microsoft for their [attested OHTTP server](https://github.com/microsoft/attested-ohttp-server). Google's QUICHE has support for [chunked OHTTP](https://quiche.googlesource.com/quiche.git/%2B/d71d77ba2b251b5b3fa049e8475c62ba1d473157). The document interacts with HTTP and has new Media Types. Authors requested a [media-types review](https://mailarchive.ietf.org/arch/msg/media-types/voY6mqv9c5LQGM2odHIoqFlUbuU/) for two new media types. The "Incremental HTTP Messages" work is being done in HTTP WG and is cited as a normative reference. The chairs also sent a pointer to the Chunked OHTTP draft's last call to the HTTP WG mailing list; there's a large overlap in the people involved between the two groups. Personnel The Document Shepherd for this document is Shivan Kaul Sahib. The Responsible Area Director is Mike Bishop. IANA Note In the message namespace of the Media Types registry located at: https://www.iana.org/assignments/media-types/ two new media types are registered: - ohttp-chunked-req - ohttp-chunked-res _______________________________________________ IETF-Announce mailing list -- [email protected] To unsubscribe send an email to [email protected]
