- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Tue, 1 Oct 2013 10:52:07 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: "ietf-http-wg@w3.org WG" <ietf-http-wg@w3.org>
Mark, I like the approach to take the security aspect of the connection out of the uri. Using the uri scheme to manage resource security is awkward. We can expect security mechanisms to further evolve in the future and need to disentangle this from the uri itself. (302-ing all google resources works, but seems to indicate something's lacking here.) As I was not part of the discussions so far, it may be total nonsense, but would not a CONNECT against the server be a proper way to negotiate the security of the connection and perform possible upgrades to TLS or whatever? Clients could send headers in the CONNECT indicating what security they are willing to accept, servers would send back in response what security the connection upgrades to then, if at all (come 4xx or 502 if they dont). Performance wise this is no worse than sending an OPTIONS first. But has the possibility to upgrade the existing connection. Regards, Stefan Am 01.10.2013 um 02:54 schrieb Mark Nottingham <mnot@mnot.net>: > Everyone, > > This is a draft put together based upon my observations of our discussions about encryption and HTTP/2.0, both before and after Berlin, along with a fair dose of help from reviewers (thanks again!). > > It proposes a way to optimistically encrypt communication for http:// URIs that is resistant to passive attacks, but is not (yet) resistant to active attacks. Full details are in the draft. > > The aim was to respect the (sometimes conflicting) requirements of various stakeholders here; I may or may not have hit that goal, and look forward to the discussion. Really, the idea is to get the conversation going, not to guide us to a particular endpoint. > > I understand that other folks might be working on complementary or competing drafts as well. We're not going to discuss this general area in any detail at our Seattle interim meeting; instead, we will have a substantial block of time set aside in Vancouver. > > Regards, > > P.S. I've attached a possibly friendlier HTML version. > > <draft-nottingham-http2-encryption-00.html> > > > Begin forwarded message: > >> From: internet-drafts@ietf.org >> Subject: New Version Notification for draft-nottingham-http2-encryption-00.txt >> Date: 1 October 2013 10:45:04 AM AEST >> To: Mark Nottingham <mnot@mnot.net> >> >> >> A new version of I-D, draft-nottingham-http2-encryption-00.txt >> has been successfully submitted by Mark Nottingham and posted to the >> IETF repository. >> >> Filename: draft-nottingham-http2-encryption >> Revision: 00 >> Title: Encryption for HTTP URIs Using Alternate Services >> Creation date: 2013-10-01 >> Group: Individual Submission >> Number of pages: 15 >> URL: http://www.ietf.org/internet-drafts/draft-nottingham-http2-encryption-00.txt >> Status: http://datatracker.ietf.org/doc/draft-nottingham-http2-encryption >> Htmlized: http://tools.ietf.org/html/draft-nottingham-http2-encryption-00 >> >> >> Abstract: >> This document proposes a way to optimistically encrypt HTTP/2.0 using >> TLS for HTTP URIs. >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> > > -- > Mark Nottingham http://www.mnot.net/ > > > <green/>bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
Received on Tuesday, 1 October 2013 08:52:28 UTC