W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-nottingham-http2-encryption-00.txt

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Tue, 08 Oct 2013 21:36:43 +0100
Message-ID: <52546CDB.3060503@cs.tcd.ie>
To: "William Chan (陈智昌)" <willchan@chromium.org>, Mark Nottingham <mnot@mnot.net>
CC: "ietf-http-wg@w3.org WG" <ietf-http-wg@w3.org>


On 10/08/2013 09:26 PM, William Chan (陈智昌) wrote:
> Cold page load
> ==> GET /index.html (occurs over newly established HTTP/1.X connection)
> <== index.html + Alt-Svc: http2-tls=:443
> ==> GET /foo.jpg (Does the user-agent block the foo.jpg fetch on a new
> HTTP/2 over TLS connection? If so, that's a perf hit, since there's a
> HTTP/1.X connection warm and ready to go.)

I suspect the interesting questions to ask here relate to whether
or not that perf hit is needed to meet the security goals, and if
it is, then what to do about that.

Could be in this case, the kind of "turn on crypto after a delay"
approach you mention might be ok, but to know that, one would have
to carefully write down the security goals so you could check if
you're making a boo-boo or not.

Mark's draft is a good start at some of that, but clearly more is
needed.

S.
Received on Tuesday, 8 October 2013 20:37:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:18 UTC