TLS at transport level vs stream multiplexing and aggregation (http "routers")

Hi all

there has been talk in the past about http message routers that forward 
messages relating to multiple concurrent streams over the same 
underlying protocol stream.

I'm a big fan of this idea, but I think requiring http2 to be over TLS 
would effectively prohibit this.

If the TLS is being used to establish credentials between client and 
server, and is connection-associated, then it holds the same set of 
badness that everyone holds against NTLM.

This means that TLS is being applied at the wrong level.

I think we should look into using TLS at the stream level, rather than 
transport.  This would allow a single TCP connection to contain multiple 
streams where each stream can be between different final endpoints, with 
different TLS layers.  And include unencrypted streams as well.

Where it is desired to minimise TLS setup overhead where all streams on 
a connection will use the same TLS context, then allow for that in the 
protocol as well.

That would then allow point to point links to use TLS to secure messages 
that may be themselves secured with TLS at the stream level or not.


Received on Sunday, 17 November 2013 20:59:26 UTC