W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-nottingham-http2-encryption-00.txt

From: Paul Hoffman <paul.hoffman@gmail.com>
Date: Mon, 7 Oct 2013 08:13:30 -0700
Message-ID: <CAPik8yaxVxG6CAxWY+eY+Vc6jptH8bNKk9ZMi_LV4bC+k76PRA@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org WG" <ietf-http-wg@w3.org>
On Sun, Oct 6, 2013 at 12:23 AM, Mark Nottingham <mnot@mnot.net> wrote:

>
> On 02/10/2013, at 2:02 PM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
> > I also wonder why you bothered to introduce the concept of a
> > "http2-tls-relaxed" profile.  To my mind, since the decision to use
> > TLS for the "http" resource was discretionary on the part of the
> > client, then the decision to validate the server certificate is
> > equally discretionary.  I would have thought that the logic would go
> > something like:
>
> The server needs to know whether the cert is being validated (as discussed
> in a note near the end, there's more work to do on this).
>

I'm not seeing that note; can you repeat the text here? Currently, the
server doesn't know whether the cert is validated: it could have been
accepted by clicking-through-the-UI-warnings.

If the HTTP server doesn't "need" to know whether the TLS client did the
validation, then there is no need for the "-relaxed" profile. If the HTTP
server really does need to know that, then we need a new TLS extension that
causes an validation indication to be passed through an API. That's much
more work than you are proposing here.

--Paul Hoffman
Received on Monday, 7 October 2013 15:14:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:18 UTC