Re: New Version Notification for draft-nottingham-http2-encryption-00.txt

I think the server's "need" stems from the multi-origin push discussion.  If the server is only allowed one cert and it's being validated, it can only push things matching that cert.  If the client only cares about encryption and not identity, then the server can push things for which it hasn't proven it's authoritative.

Sent from Windows Mail

From: Paul Hoffman<>
Sent: ?Monday?, ?October? ?7?, ?2013 ?8?:?17? ?AM
To: Mark Nottingham<>
Cc: Martin Thomson<>, HTTP Working Group<>

On Sun, Oct 6, 2013 at 12:23 AM, Mark Nottingham <<>> wrote:

On 02/10/2013, at 2:02 PM, Martin Thomson <<>> wrote:
> I also wonder why you bothered to introduce the concept of a
> "http2-tls-relaxed" profile.  To my mind, since the decision to use
> TLS for the "http" resource was discretionary on the part of the
> client, then the decision to validate the server certificate is
> equally discretionary.  I would have thought that the logic would go
> something like:

The server needs to know whether the cert is being validated (as discussed in a note near the end, there's more work to do on this).

I'm not seeing that note; can you repeat the text here? Currently, the server doesn't know whether the cert is validated: it could have been accepted by clicking-through-the-UI-warnings.

If the HTTP server doesn't "need" to know whether the TLS client did the validation, then there is no need for the "-relaxed" profile. If the HTTP server really does need to know that, then we need a new TLS extension that causes an validation indication to be passed through an API. That's much more work than you are proposing here.

--Paul Hoffman

Received on Monday, 7 October 2013 15:34:17 UTC