- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 2 Jan 2015 10:31:18 -0800
- To: Aeris <aeris@imirhil.fr>
- Cc: Ryan Hamilton <rch@google.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Patrick McManus <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 2 January 2015 at 10:10, Aeris <aeris@imirhil.fr> wrote: > List *all* those validity checks is impossible, because depends of tons of > parameters, RFCed or not, built-in or not, custom or not. This is not just a > case of X.509, TLSA or PKP. Ultimately, clients will determine what requirements need to be met in order to consider an origin authenticated. There are RFCs to guide that process, and those aim to establish a baseline (2818 or 6125 + 5280 perhaps being that baseline) but the choice of which RFCs ensures that there are - as you say - a virtually infinite number of choices. That is why the draft states that the server needs to be considered authoritative, and then relies on the definition of that from RFC 7230. The HTTP/2 draft simply states the conditions under which connections can be reused. This is different from HTTP/1.1, which is probably the source of your angst. Of course, we have also defined several ways to avoid this happening if that doesn't suit you. The 421 status code. The HTTP_1_1_REQUIRED error code.
Received on Friday, 2 January 2015 18:31:44 UTC