W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: Upgrade status for impl draft 1

From: Eliot Lear <lear@cisco.com>
Date: Wed, 27 Feb 2013 07:27:31 +0100
Message-ID: <512DA753.4040402@cisco.com>
To: "William Chan (陈智昌)" <willchan@chromium.org>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>

On 2/27/13 4:43 AM, William Chan (陈智昌) wrote:
>
> QQ over here. Is this assuming only unencrypted HTTP/2? I believe
> Patrick was hoping to bootstrap serving http:// URLs via HTTP/2 over
> SSL, using the external discovery mechanism (DNS most likely). If so,
> I'm unclear on whether or not we need to describe behavior WRT
> TLS-NPNesque negotiation. Perhaps we should fork the thread for this...
>

This *is* possible, but with a big caveat: DNS should offer alternatives
that have the same security level –– UNLESS DNSSEC is in play. 
Otherwise there's a downgrade attack in the making.

Eliot
Received on Wednesday, 27 February 2013 06:33:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 February 2013 06:33:28 GMT