- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 3 Jan 2017 11:49:00 +1100
- To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
- Cc: HTTP working group mailing list <ietf-http-wg@w3.org>
On 23 December 2016 at 18:44, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote:
> This is still quite long sentence to parse.
>
> | Clients MUST NOT send http requests over a secured connection, unless the chosen
> | alternative service presents a certificate that is valid for the origin as defined in
> | {{RFC2818}} (this also establishes "reasonable assurances" for the purposes of
> | {RFC7838}}) and they have obtained a valid http-opportunistic response for an origin
> | (as per {{well-known}}).
>
> OK that is manageable (if I read that several times).
Yeah, it's hard to parse. I split it up here:
https://github.com/httpwg/http-extensions/pull/280
Is that clearer?
>> Yes, that's an oversight. The only requirement is that the request is
>> made to the authenticated alternative.
>
> I'm not sure that I understand that from
>
> https://github.com/httpwg/http-extensions/blob/467d6b2773304e47cad09f6a8af62a7448fe3312/draft-ietf-httpbis-http2-encryption.md
[...]
> Or is there something what I missed?
There was this:
"""
A client is said to
have a valid http-opportunistic response for a given origin when:
* The client has requested the well-known URI from the origin ***over
an authenticated connection*** and a 200 (OK) response was provided,
and
"""
But no harm in making it clearer (see the above PR).
Received on Tuesday, 3 January 2017 00:49:33 UTC