W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: Expectations for TLS session reuse

From: Patrick McManus <mcmanus@ducksong.com>
Date: Thu, 22 Dec 2016 10:39:02 -0500
Message-ID: <CAOdDvNqPDssNmSscgk3chbPg+Uw53_nqFrv+OzhTHWA=hTvwLg@mail.gmail.com>
To: Richard Bradbury <richard.bradbury@rd.bbc.co.uk>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mike Bishop <Michael.Bishop@microsoft.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Eric Rescorla <ekr@rtfm.com>, Lucas Pardue <Lucas.Pardue@bbc.co.uk>, Patrick McManus <mcmanus@ducksong.com>
On Thu, Dec 22, 2016 at 7:25 AM, Richard Bradbury <
richard.bradbury@rd.bbc.co.uk> wrote:

> the position is the same for HTTP/1.1 as it is for HTTP/2



I don't think this is true. H1 is governed by 7230 section 9.. in practice
it is a connection per origin:

 The "https" scheme (Section 2.7.2
<https://tools.ietf.org/html/rfc7230#section-2.7.2>) is intended to
prevent (or at
   least reveal) many of these potential attacks on establishing
   authority, provided that the negotiated TLS connection is secured and
   the client properly verifies that the communicating server's identity
   matches the target URI's authority component (see [RFC2818
<https://tools.ietf.org/html/rfc2818>]).

whereas H2 loosens that a little bit for coalescing in 7540.
Received on Thursday, 22 December 2016 15:39:34 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 22 December 2016 15:39:38 UTC