Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt from Kari hurtta on 2016-10-08 (ietf-http-wg@w3.org from October to December 2016)

From: Kari hurtta <hurtta-ietf@elmme-mailer.org>
Date: Sat, 8 Oct 2016 08:42:00 +0300 (EEST)
To: HTTP working group mailing list <ietf-http-wg@w3.org>
CC: Kari hurtta <hurtta-ietf@elmme-mailer.org>
Message-Id: <20161008054201.F0B5A133A6@welho-filter2.welho.com>
> 
> > There's also a htmlized version available at:
> > https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-07
> 
> 2.  Using HTTP URIs over TLS
> https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-07#section-2
> 
> |    An origin server that supports the resolution of "http" URIs can
> |    indicate support for this specification by providing an alternative
> |    service advertisement [RFC7838] for a protocol identifier that uses
> |    TLS, such as "h2" [RFC7540].
> 
> This allows also other than "h2" (for example "http/1.1", which
> is HTTP/1.1 over TLS).
> 
> 2.1.  Alternative Server Opt-In
> https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-07#section-2.1
> 
> |    Clients MUST NOT send "http" requests over a connection with the "h2"
> |    protocol identifier, unless they have obtained a valid http-
> |    opportunistic response for an origin (as per Section 2.3), and:
> 
> But this part is specific to "h2".

Continuing.

|   Clients MUST NOT send "http" requests over a connection with the "h2"
|   protocol identifier, unless they have obtained a valid http-
|   opportunistic response for an origin (as per Section 2.3), and:

 ⇒

  When client send "http" requests over a TLS connection request
  request MUST include scheme. This means that when used with 
  protocol identifier "http/1.1" (TTP/1.1 over TLS), request uses 
  absoluteURI -form.

  Client SHOULD NOT use a http-opportunistic response if requesting
  of it invoked http-redirect.

  Clients MUST NOT send "http" requests over a TLS connection, unless
  they have obtained a valid http-opportunistic response for an origin 
  (as per Section 2.3), and:

(Also "SHOULD NOT" was suggested, I have no strong position for this.)

|   o  The chosen alternative service presents a certificate that is
|      valid for the origin, as per [RFC2818] (this also establishes
|      "reasonable assurances" for the purposes of {RFC7838}}), and

  ⇒ (no change)

|   o  The origin object of the http-opportunistic response has a `tls-
|      ports' member, whose value is an array of numbers, one of which
|      matches the port of the alternative service in question, and

  ⇒

   o  The origin object of the http-opportunistic response has a 
      "http-scheme-listeners" member, whose value is an array of 
      strings, one of which matches the name and port number of the 
      alternative service in question (on form "name:port"), and

( I suggested "mixed-scheme-listeners" -name first.
  https://lists.w3.org/Archives/Public/ietf-http-wg/2016OctDec/0056.html
)

|   o  The chosen alternative service returns the same representation as
|      the origin did for the http-opportunistic resource.

   ⇒ (no change)  

|   For example, this request/response pair would allow reqeusts for the
|   origin "http://www.example.com" to be sent to an alternative service
|   on port 443 or 8000 of the host "www.example.com":

   ⇒ 

   For example, this request/response pair would allow reqeusts for the
   origin "http://www.example.com" to be sent to an alternative service
   on port 443 of the host "www.example.com" or on port 8000 of the host 
   "www2.example.com":

|   GET /.well-known/http-opportunistic HTTP/1.1
|   Host: www.example.com
|
|   HTTP/1.1 200 OK
|   Content-Type: application/json
|   Connection: close
|
|   {
|     "http://www.example.com": {
|       "tls-ports": [443, 8000],
|       "lifetime": 2592000
|     }
|   }

   ⇒ 

   GET http://www.example.com/.well-known/http-opportunistic HTTP/1.1

   HTTP/1.1 200 OK
   Content-Type: application/json
   Connection: close

   {
     "http://www.example.com": {
       "http-scheme-listeners": [ "www.example.com:443", "www2.example.com:8000" ],
       "lifetime": 2592000
     }
   }


(Should "lifetime" also be dropped?)


2.3.  The "http-opportunistic" well-known URI
https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-07#section-2.3

|   o  The origin object has a "lifetime" member, whose value is a number
|      indicating the number of seconds which the origin object is valid
|      for (hereafter, the "origin object lifetime"), and
|
|   o  The origin object lifetime is greater than the "current_age" (as
|      per [RFC7234], Section 4.2.3).
|
|   Note that origin object lifetime might differ from the freshness
|   lifetime of the response.

It is noted "lifetime" member is no longer needed because there is no commit.
Then this request some rewrite, but I not try it now.


This means that http-opportunistic response have members
"mixed-scheme" and "http-scheme-listeners" members on the 
the origin object.

/ Kari Hurtta
Received on Saturday, 8 October 2016 05:42:34 UTC