- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Tue, 08 Oct 2013 21:36:43 +0100
- To: "William Chan (陈智昌)" <willchan@chromium.org>, Mark Nottingham <mnot@mnot.net>
- CC: "ietf-http-wg@w3.org WG" <ietf-http-wg@w3.org>
On 10/08/2013 09:26 PM, William Chan (陈智昌) wrote: > Cold page load > ==> GET /index.html (occurs over newly established HTTP/1.X connection) > <== index.html + Alt-Svc: http2-tls=:443 > ==> GET /foo.jpg (Does the user-agent block the foo.jpg fetch on a new > HTTP/2 over TLS connection? If so, that's a perf hit, since there's a > HTTP/1.X connection warm and ready to go.) I suspect the interesting questions to ask here relate to whether or not that perf hit is needed to meet the security goals, and if it is, then what to do about that. Could be in this case, the kind of "turn on crypto after a delay" approach you mention might be ok, but to know that, one would have to carefully write down the security goals so you could check if you're making a boo-boo or not. Mark's draft is a good start at some of that, but clearly more is needed. S.
Received on Tuesday, 8 October 2013 20:37:08 UTC