W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: Alt-Svc WGLC

From: Kyle Rose <krose@krose.org>
Date: Wed, 13 Jan 2016 22:36:08 -0500
Message-ID: <CAJU8_nW+hypSdq5ntrnMgg4LbL-tc4m57TB6OXOVHD+E9Xnz9w@mail.gmail.com>
To: Erik Nygren <erik@nygren.org>
Cc: Martin Thomson <martin.thomson@gmail.com>, Julian Reschke <julian.reschke@gmx.de>, Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Jan 13, 2016 at 10:21 PM, Erik Nygren <erik@nygren.org> wrote:
> I'd been assuming the alternative service server.  Good point we should be
> more explicit.
> Perhaps:
>
> Clients MUST NOT use alternative services without strong server
> authentication to the alternative using the name of the origin; this
> mitigates the attack described in Section 9.2.

I might go with my wording from earlier in the thread: "Clients MUST
NOT use an alternative service that does not strongly authenticate
with the origin's identity; this mitigates the attack described in
Section 9.2."

Kyle
Received on Thursday, 14 January 2016 03:36:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:10 UTC