W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016


From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Tue, 09 Feb 2016 18:29:03 +0000
To: HTTP WG <ietf-http-wg@w3.org>
Cc: Mark Nottingham <mnot@mnot.net>, Patrick McManus <mcmanus@ducksong.com>, "Julian F. Reschke" <julian.reschke@greenbytes.de>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Message-Id: <20160209182822.C37A959F@welho-filter2.welho.com>



| 2.1. Host Authentication
|   Clients MUST have reasonable assurances that the alternative service
|   is under control of and valid for the whole origin.

I have impression that on absence of other protocol, this is mean to
forbid use plain HTTP/2 (ie "h2c"), because there is no "reasonable

But is reader understanding that? There is examples which use "h2c".

This does not give that

|                                   However, if "other.example.com" is
|   offered with the "h2c" protocol, the client cannot use it, because
|   there is no mechanism in that protocol to establish the relationship
|   between the origin and the alternative.

Reader may think that there is "reasonable assurance" when hostname
is same.

There is 


| 9.1. Changing Ports
|   Using an alternative service implies accessing an origin's resources
|   on an alternative port, at a minimum.  An attacker that can inject
|   alternative services and listen at the advertised port is therefore
|   able to hijack an origin.  On certain servers, it is normal for users
|   to be able to control some personal pages available on a shared port,
|   and also to accept to requests on less-privileged ports.

But that part is confusing:

|   This risk is mitigated by the requirements in Section 2.1.

When requirement is "reasonable assurance" I think that reader
is confused.

"h2c" examples are


|   The Alt-Svc field value can have multiple values:
|   Alt-Svc: h2c=":8000", h2=":443"


|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Cache-Control: max-age=600
|     Age: 30
|     Alt-Svc: h2c=":8000"; ma=60

So my question is: Can reader understand this without
reading https://lists.w3.org/Archives/Public/ietf-http-wg/ ?

( Or without reading that other protocol RFC which 
 gives reasonable assurance. )

/ Kari Hurtta
Received on Wednesday, 10 February 2016 20:16:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC