Re: (Possibly duplicate mail) Suggesting /.well-known/alternative-services as compromise | Re: AD review of draft-ietf-httpbis-alt-svc-10 from Barry Leiba on 2016-01-15 (ietf-http-wg@w3.org from January to March 2016)

From: Barry Leiba <barryleiba@computer.org>
Date: Fri, 15 Jan 2016 14:07:42 -0500
To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Cc: Mark Nottingham <mnot@mnot.net>, Mike Bishop <Michael.Bishop@microsoft.com>, "Julian F. Reschke" <julian.reschke@gmx.de>, "draft-ietf-httpbis-alt-svc@ietf.org" <draft-ietf-httpbis-alt-svc@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <CALaySJJRhZy5Ln60W_ckcYWMRKbjLJb6BvVV=wrJtYY_1wowLA@mail.gmail.com>

> I think that this stops that attack if http client also checks
> /.well-known/alternative-services when alternative service
> does not provide strong auth. This of course adds additional delay
> before alternative service is used but does not affect case
> where alternative services is used for opportunistic security
> (I assume strong auth here and therefore
> GET /.well-known/alternative-services is not needed).

No, with opportunistic encryption you *don't* have strong auth --
that's part of what makes it opportunistic.

Barry

Received on Friday, 15 January 2016 19:08:10 UTC