Re: Upgrade status for impl draft 1 from Eliot Lear on 2013-02-27 (ietf-http-wg@w3.org from January to March 2013)

From: Eliot Lear <lear@cisco.com>
Date: Wed, 27 Feb 2013 07:27:31 +0100
To: "William Chan (陈智昌)" <willchan@chromium.org>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <512DA753.4040402@cisco.com>

On 2/27/13 4:43 AM, William Chan (陈智昌) wrote:
>
> QQ over here. Is this assuming only unencrypted HTTP/2? I believe
> Patrick was hoping to bootstrap serving http:// URLs via HTTP/2 over
> SSL, using the external discovery mechanism (DNS most likely). If so,
> I'm unclear on whether or not we need to describe behavior WRT
> TLS-NPNesque negotiation. Perhaps we should fork the thread for this...
>

This *is* possible, but with a big caveat: DNS should offer alternatives
that have the same security level –– UNLESS DNSSEC is in play. 
Otherwise there's a downgrade attack in the making.

Eliot

Received on Wednesday, 27 February 2013 06:33:26 UTC