On Sun, Oct 6, 2013 at 12:23 AM, Mark Nottingham <mnot@mnot.net> wrote: > > On 02/10/2013, at 2:02 PM, Martin Thomson <martin.thomson@gmail.com> > wrote: > > I also wonder why you bothered to introduce the concept of a > > "http2-tls-relaxed" profile. To my mind, since the decision to use > > TLS for the "http" resource was discretionary on the part of the > > client, then the decision to validate the server certificate is > > equally discretionary. I would have thought that the logic would go > > something like: > > The server needs to know whether the cert is being validated (as discussed > in a note near the end, there's more work to do on this). > I'm not seeing that note; can you repeat the text here? Currently, the server doesn't know whether the cert is validated: it could have been accepted by clicking-through-the-UI-warnings. If the HTTP server doesn't "need" to know whether the TLS client did the validation, then there is no need for the "-relaxed" profile. If the HTTP server really does need to know that, then we need a new TLS extension that causes an validation indication to be passed through an API. That's much more work than you are proposing here. --Paul Hoffman
Received on Monday, 7 October 2013 15:14:01 UTC