W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-nottingham-http2-encryption-00.txt

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Tue, 1 Oct 2013 11:26:24 +0200
Message-ID: <0bb33f31a5e5323d47875f76f5f2ef19.squirrel@arekh.dyndns.org>
To: "Stefan Eissing" <stefan.eissing@greenbytes.de>
Cc: "Mark Nottingham" <mnot@mnot.net>, "ietf-http-wg@w3.org WG" <ietf-http-wg@w3.org>

Le Mar 1 octobre 2013 10:52, Stefan Eissing a écrit :
> Mark,
>
> I like the approach to take the security aspect of the connection out of
> the uri. Using the uri scheme to manage resource security is awkward. We
> can expect security mechanisms to further evolve in the future and
> need to disentangle this from the uri itself. (302-ing all google
> resources
> works, but seems to indicate something's lacking here.)
>
> As I was not part of the discussions so far, it may be total nonsense, but
> would not a CONNECT against the server be a proper way to negotiate the
> security of the connection and perform possible upgrades to TLS or
> whatever?

Please not unless CONNECT changes drastically from a security point of
view. Right now every time an intermediary accepts a CONNECT it makes the
same mistake Richelieu made when he gave his full endorsement in writing
to Milady (that was ultimately used against both). CONNECT needs to be
extinguished not promoted

-- 
Nicolas Mailhot
Received on Tuesday, 1 October 2013 09:26:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:18 UTC