Re: New Version Notification for draft-nottingham-http2-encryption-00.txt

On Sun, Oct 6, 2013 at 12:23 AM, Mark Nottingham <> wrote:

> On 02/10/2013, at 2:02 PM, Martin Thomson <>
> wrote:
> > I also wonder why you bothered to introduce the concept of a
> > "http2-tls-relaxed" profile.  To my mind, since the decision to use
> > TLS for the "http" resource was discretionary on the part of the
> > client, then the decision to validate the server certificate is
> > equally discretionary.  I would have thought that the logic would go
> > something like:
> The server needs to know whether the cert is being validated (as discussed
> in a note near the end, there's more work to do on this).

I'm not seeing that note; can you repeat the text here? Currently, the
server doesn't know whether the cert is validated: it could have been
accepted by clicking-through-the-UI-warnings.

If the HTTP server doesn't "need" to know whether the TLS client did the
validation, then there is no need for the "-relaxed" profile. If the HTTP
server really does need to know that, then we need a new TLS extension that
causes an validation indication to be passed through an API. That's much
more work than you are proposing here.

--Paul Hoffman

Received on Monday, 7 October 2013 15:14:01 UTC