Re: New Version Notification for draft-nottingham-http2-encryption-00.txt

Le Mar 1 octobre 2013 10:52, Stefan Eissing a écrit :
> Mark,
> I like the approach to take the security aspect of the connection out of
> the uri. Using the uri scheme to manage resource security is awkward. We
> can expect security mechanisms to further evolve in the future and
> need to disentangle this from the uri itself. (302-ing all google
> resources
> works, but seems to indicate something's lacking here.)
> As I was not part of the discussions so far, it may be total nonsense, but
> would not a CONNECT against the server be a proper way to negotiate the
> security of the connection and perform possible upgrades to TLS or
> whatever?

Please not unless CONNECT changes drastically from a security point of
view. Right now every time an intermediary accepts a CONNECT it makes the
same mistake Richelieu made when he gave his full endorsement in writing
to Milady (that was ultimately used against both). CONNECT needs to be
extinguished not promoted

Nicolas Mailhot

Received on Tuesday, 1 October 2013 09:26:55 UTC