- From: Cory Benfield <cory@lukasa.co.uk>
- Date: Mon, 13 Jul 2015 09:21:50 +0100
- To: Stefan Eissing <stefan.eissing@greenbytes.de>
- Cc: Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 13 July 2015 at 09:07, Stefan Eissing <stefan.eissing@greenbytes.de> wrote: > So, the issue remains with server-initiated streams to define what they exactly connect against. In the case of special data backend server connections, this might be clear by the configuration of it, so outside of protocol context. And for that it is useful, no doubt. For it to work in the wild net, something is missing, I think. Yeah, I think that's the question: if the client says "Hey, you can send me requests too, I'm authority foo.bar", what reason does the server have to trust that statement? It might be possible to do some fun stuff with TLS client certificates here, but it'd be nice if we had a plaintext solution too. Maybe it's enough to say that the server MUST have some out-of-band reason to believe the client is validly representing that authority, and suggest some options. Those options could be TLS client certs, service discovery mechanisms, reverse DNS, etc.
Received on Monday, 13 July 2015 08:22:19 UTC