Re: Expectations for TLS session reuse from Patrick McManus on 2016-12-22 (ietf-http-wg@w3.org from October to December 2016)

From: Patrick McManus <mcmanus@ducksong.com>
Date: Thu, 22 Dec 2016 10:39:02 -0500
To: Richard Bradbury <richard.bradbury@rd.bbc.co.uk>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mike Bishop <Michael.Bishop@microsoft.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Eric Rescorla <ekr@rtfm.com>, Lucas Pardue <Lucas.Pardue@bbc.co.uk>, Patrick McManus <mcmanus@ducksong.com>
Message-ID: <CAOdDvNqPDssNmSscgk3chbPg+Uw53_nqFrv+OzhTHWA=hTvwLg@mail.gmail.com>

On Thu, Dec 22, 2016 at 7:25 AM, Richard Bradbury <
richard.bradbury@rd.bbc.co.uk> wrote:

> the position is the same for HTTP/1.1 as it is for HTTP/2



I don't think this is true. H1 is governed by 7230 section 9.. in practice
it is a connection per origin:

 The "https" scheme (Section 2.7.2
<https://tools.ietf.org/html/rfc7230#section-2.7.2>) is intended to
prevent (or at
   least reveal) many of these potential attacks on establishing
   authority, provided that the negotiated TLS connection is secured and
   the client properly verifies that the communicating server's identity
   matches the target URI's authority component (see [RFC2818
<https://tools.ietf.org/html/rfc2818>]).

whereas H2 loosens that a little bit for coalescing in 7540.

Received on Thursday, 22 December 2016 15:39:34 UTC