- From: Robert Collins <robertc@robertcollins.net>
- Date: Fri, 31 Oct 2014 15:35:19 +1300
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Erik Nygren <erik@nygren.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 31 October 2014 12:40, Martin Thomson <martin.thomson@gmail.com> wrote: > On 30 October 2014 15:36, Erik Nygren <erik@nygren.org> wrote: >> In light of the discussion around 9.2.2, are there changes we want to >> consider >> making to draft-ietf-httpbis-http2-encryption that could improve >> interoperability >> when it is used? Should that draft strongly encourage using TLS with >> DHE/ECDHE key exchange for (P)FS, or does that dive too deeply into >> the same problems with 9.2.2? > > We can tighten up the requirements, certainly. > >> One thought that I had was that we may want the localhost Alt-Svc to >> indicate >> when the server does not plan to offer valid authentication. > > This was a feature that was included in early versions, in a slightly > different form. And I have argued against it. I don't see any value > in this. You either expect to authenticate, or not. The way that the > current draft addresses this is to have the new connection promise to > provide authentication. I'd rather not have two mechanisms for the > same thing. Also wouldn't it deliver a trivial downgrade attack to folk who can intercept and alter traffic? -Rob -- Robert Collins <rbtcollins@hp.com> Distinguished Technologist HP Converged Cloud
Received on Friday, 31 October 2014 02:35:48 UTC