Ryan Sleevi

Results 122 comments of Ryan Sleevi

Add fields for identifying the security protocol, cipher, signature and so on

@phistuck Right, you specifically noted negotiated connection info, and I was suggesting you provide an explicit explainer about why the browser should provide that data, given that it is already...

Add fields for identifying the security protocol, cipher, signature and so on

nextHopProtocol is already a privacy issue. It seems like this would amplify that.

Add fields for identifying the security protocol, cipher, signature and so on

@phistuck Because @igrigorik? :) Again, I'm not sure what your use case is, as there's only two parties relevant to the discussion - the client and the server. The UA...

Add fields for identifying the security protocol, cipher, signature and so on

@phistuck Looks like it. I'll see about digging up more of the details, but in the meantime, https://github.com/WICG/netinfo/issues/26 is probably an relevant discussion. In short, I'm very uncomfortable with the...

OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

@zarenner [mentioned](https://github.com/aws-actions/configure-aws-credentials/issues/357#issuecomment-1012659448) wanting to explore ways to avoid having the issuing CA change. To echo and emphasize @buffyg’s [comment](https://github.com/aws-actions/configure-aws-credentials/issues/357#issuecomment-1013274236), the WebPKI doesn't provide that guarantee, somewhat intentionally. DigiCert has been...

Create and maintain a 10k-row subset table

LIMIT 10000 can still cause a full scan of all rows with some queries, thus cost substantially more. Having a smaller table reduces that cost, allowing for developing/iterating on the...

TLS SNI requirement is incompatible with TLS SNI definition

@enygren In like with the updates happening to [RFC 6125](https://datatracker.ietf.org/doc/draft-ietf-uta-rfc6125bis/), it seems tackling this such that there’s a relationship between SAN type and ServerName type, allowing a client to express...

COEP:credentialless and the HTTP cache.

As @annevk surmised, I do think this is dangerous, because this is not compatible with intermediary caches, because “credentialless” is not a network-observable explicit property. This creates the risk of...

COEP:credentialless and the HTTP cache.

Correct. NPKs are, seemingly, a best-effort privacy goal. If the intermediary cache is near the server (e.g. a CDN), then we’re saying we’re OK with the origin learning that someone...

COEP:credentialless and the HTTP cache.

> Firefox and the spec behaved this way for many years, this might mean this isn't a big deal? It has stood the test of time. We (Chrome) have disagreed...