W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Opportunistic Security for HTTP

From: Kari hurtta <hurtta-ietf@elmme-mailer.org>
Date: Tue, 4 Oct 2016 19:41:00 +0300 (EEST)
To: HTTP working group mailing list <ietf-http-wg@w3.org>
CC: Kari hurtta <hurtta-ietf@elmme-mailer.org>
Message-Id: <20161004164102.5900C12D38@welho-filter3.welho.com>
Also

https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-07#section-2.1

|   GET /.well-known/http-opportunistic HTTP/1.1
|   Host: www.example.com
|
|   HTTP/1.1 200 OK
|   Content-Type: application/json
|   Connection: close
|
|   {
|     "http://www.example.com": {
|       "tls-ports": [443, 8000],
|       "lifetime": 2592000
|     }
|   }


This seems use HTTP/1.1 over TLS, but on same chapter there was

|   Clients MUST NOT send "http" requests over a connection with the "h2"
|   protocol identifier, unless they have obtained a valid http-
|   opportunistic response for an origin (as per Section 2.3), and:

so there is also mismatch with example.

Also if "http/1.1" protocol identifier is allowed, then
this example really should use absoluteURI and not abs_path.

-----------------------------------------
GET http://www.example.com/.well-known/http-opportunistic HTTP/1.1

HTTP/1.1 200 OK
Content-Type: application/json
Connection: close

{
  "http://www.example.com": {
    "tls-ports": [443, 8000],
    "lifetime": 2592000
  }
}
-----------------------------------------

Scheme is needed on here.


If protocol identifier "http/1.1" is here allowed for 
alternative service advertisement, then there need to 
be requrement for use absoluteURI on HTTP/1.1
requests.

/ Kari Hurtta
Received on Tuesday, 4 October 2016 16:41:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 4 October 2016 16:41:38 UTC