W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: Alt-Svc WGLC

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 13 Jan 2016 22:17:24 +0100
To: Martin Thomson <martin.thomson@gmail.com>, Kyle Rose <krose@krose.org>
Cc: Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <5696BEE4.6000600@gmx.de>
On 2016-01-13 04:22, Martin Thomson wrote:
> On 13 January 2016 at 14:03, Kyle Rose <krose@krose.org> wrote:
>>> 1. the alternative service must be authenticated as the origin host
>>
>> If this is the case, then we should simply state that "Clients MUST
>> NOT use an alternative service that does not strongly authenticate
>> with the origin's identity."
>
> There may be some reluctance to write text that duplicates other RFCs.
>
> I think that we can get over that and include that statement.  Adding
> a citation for RFC 7230 should avoid any potential confusion about
> whether this is intended to override any guidance there.
>
>>> 2. if the alt-svc advertisement isn't authenticated, the host can't be
>>> different to the origin.
> ...
>> "Clients MUST NOT use an alternative service whose host is different
>> from the origin's if the alternative service advertisement was not
>> strongly authenticated."
>
> That works for me.  Julian, do you think that these statements could
> be added to the root of Section 9?

I welcome concrete text or pull request. That being said, if we 
add/change normative statements, this should go into the main part of 
the spec, not the security considerations...

Best regards, Julian
Received on Wednesday, 13 January 2016 21:17:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:10 UTC