W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-nottingham-http2-encryption-00.txt

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Tue, 1 Oct 2013 10:52:07 +0200
Cc: "ietf-http-wg@w3.org WG" <ietf-http-wg@w3.org>
Message-Id: <D17E2699-F2D3-402F-ACBC-A8077DCC92FD@greenbytes.de>
To: Mark Nottingham <mnot@mnot.net>
Mark,

I like the approach to take the security aspect of the connection out of
the uri. Using the uri scheme to manage resource security is awkward. We
can expect security mechanisms to further evolve in the future and
need to disentangle this from the uri itself. (302-ing all google resources
works, but seems to indicate something's lacking here.)

As I was not part of the discussions so far, it may be total nonsense, but
would not a CONNECT against the server be a proper way to negotiate the 
security of the connection and perform possible upgrades to TLS or whatever?

Clients could send headers in the CONNECT indicating what security they 
are willing to accept, servers would send back in response what security 
the connection upgrades to then, if at all (come 4xx or 502 if they dont).

Performance wise this is no worse than sending an OPTIONS first. But has the
possibility to upgrade the existing connection.

Regards,

  Stefan

Am 01.10.2013 um 02:54 schrieb Mark Nottingham <mnot@mnot.net>:

> Everyone,
> 
> This is a draft put together based upon my observations of our discussions about encryption and HTTP/2.0, both before and after Berlin, along with a fair dose of help from reviewers (thanks again!). 
> 
> It proposes a way to optimistically encrypt communication for http:// URIs that is resistant to passive attacks, but is not (yet) resistant to active attacks. Full details are in the draft.
> 
> The aim was to respect the (sometimes conflicting) requirements of various stakeholders here; I may or may not have hit that goal, and look forward to the discussion. Really, the idea is to get the conversation going, not to guide us to a particular endpoint.
> 
> I understand that other folks might be working on complementary or competing drafts as well. We're not going to discuss this general area in any detail at our Seattle interim meeting; instead, we will have a substantial block of time set aside in Vancouver.
> 
> Regards,
> 
> P.S. I've attached a possibly friendlier HTML version.
> 
> <draft-nottingham-http2-encryption-00.html>
> 
> 
> Begin forwarded message:
> 
>> From: internet-drafts@ietf.org
>> Subject: New Version Notification for draft-nottingham-http2-encryption-00.txt
>> Date: 1 October 2013 10:45:04 AM AEST
>> To: Mark Nottingham <mnot@mnot.net>
>> 
>> 
>> A new version of I-D, draft-nottingham-http2-encryption-00.txt
>> has been successfully submitted by Mark Nottingham and posted to the
>> IETF repository.
>> 
>> Filename:	 draft-nottingham-http2-encryption
>> Revision:	 00
>> Title:		 Encryption for HTTP URIs Using Alternate Services
>> Creation date:	 2013-10-01
>> Group:		 Individual Submission
>> Number of pages: 15
>> URL:             http://www.ietf.org/internet-drafts/draft-nottingham-http2-encryption-00.txt
>> Status:          http://datatracker.ietf.org/doc/draft-nottingham-http2-encryption
>> Htmlized:        http://tools.ietf.org/html/draft-nottingham-http2-encryption-00
>> 
>> 
>> Abstract:
>>  This document proposes a way to optimistically encrypt HTTP/2.0 using
>>  TLS for HTTP URIs.
>> 
>> 
>> 
>> 
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>> 
>> The IETF Secretariat
>> 
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 

<green/>bytes GmbH
Hafenweg 16, 48155 Münster, Germany
Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
Received on Tuesday, 1 October 2013 08:52:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:18 UTC