W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-nottingham-http2-encryption-02.txt

From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Thu, 12 Dec 2013 09:53:26 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: Paul Hoffman <paul.hoffman@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131212075326.GA25136@LK-Perkele-VII>
On Thu, Dec 12, 2013 at 03:52:22PM +1100, Mark Nottingham wrote:

(The difference between h2t and h2r)

> Yep, that's been discussed a few times, it's an open question.
> One possible use is that the server may want/need to know whether or
> not the client is validating the cert; e.g., a bank.

Or client knowing if server supports HTTP-over-HTTPS (sending HTTP
requests over HTTP/TLS)? Or does h2t or HTTP/2.0 already imply it?
I have seen at least one HTTP/1.1 server that fails in dangerous
way[1] (and knowing it is apache probably means there are a lot
more of those) if one tries using HTTP-over-HTTPS.

Also, internally using HTTPS on HTTPS could cause some (bady
written) things to fail as client and server could then disagree
about the protocol.

[1] Essentially, returning wrong data without error.

Received on Thursday, 12 December 2013 07:53:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:21 UTC