Re: New Version Notification for draft-nottingham-http2-encryption-00.txt from Paul Hoffman on 2013-10-07 (ietf-http-wg@w3.org from October to December 2013)

From: Paul Hoffman <paul.hoffman@gmail.com>
Date: Mon, 7 Oct 2013 10:00:10 -0700
To: Yoav Nir <ynir@checkpoint.com>
Cc: "ietf-http-wg@w3.org WG" <ietf-http-wg@w3.org>
Message-ID: <CAPik8yb6C_WsBBEgfpyFtQosGYQaNRK3Fmzka9_WbYq1g_DA2w@mail.gmail.com>

We're talking around the same problem. What Mark has proposed allows the
HTTP server to tell the HTTP client two different things:
- The server has an https version of the origin available
- The https version of the origin is / is not expected to validate

My belief is that HTTP clients do not have enough communication with their
TLS stacks to be able to use the second piece of information in a secure
fashion; thus, it should be removed.

Your preference seems to be that we fix TLS so that a web site can offer
TLS in a way that a TLS client would not expect it to validate. That seems
fine, except then there also has to a way to communicate that to both the
HTTP client *and* the HTTP server. Do not assume that an HTTP server knows
the type of certificate and/or validation that is done.

Received on Monday, 7 October 2013 17:00:37 UTC