- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 2 Jun 2016 10:06:13 +1000
- To: Erik Nygren <erik@nygren.org>
- Cc: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Does Martin's suggestion of a flag in the .well-known file work for you? Cheers, > On 2 Jun 2016, at 1:18 AM, Erik Nygren <erik@nygren.org> wrote: > > If it helps, this came up as an important corner-case during implementation / detailed-design of a server-side implementation. > > > On Tue, May 31, 2016 at 10:06 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > This is reasonable. A boolean `mixed-scheme` member that has to be > true seems appropriate. It's cheap enough to warrant doing. > > On 1 June 2016 at 11:10, Mark Nottingham <mnot@mnot.net> wrote: > > What do other folks think? > > > > > >> On 1 Jun 2016, at 8:31 AM, Erik Nygren <erik@nygren.org> wrote: > >> > >> Filed for the opp-sec draft where this is most relevant: > >> > >> https://github.com/httpwg/http-extensions/issues/188 > >> > >> In particular, mixing of secure and insecure schemes should require server-side opt-in over a strongly authenticated channel. (eg, an attribute of /.well-known/http-opportunistic with properties similar to "commit" as for where it can be set). > > > > > -- Mark Nottingham https://www.mnot.net/
Received on Thursday, 2 June 2016 00:06:45 UTC