Re: New Version Notification for draft-nottingham-http2-encryption-02.txt from Brian Smith on 2013-12-14 (ietf-http-wg@w3.org from October to December 2013)

From: Brian Smith <brian@briansmith.org>
Date: Sat, 14 Dec 2013 12:57:13 -0800
To: Mark Nottingham <mnot@mnot.net>
Cc: Patrick McManus <mcmanus@ducksong.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAFewVt5nxkVX32NMYxhuqnzv-RquXVv9zby9X7YGHX_CR4FV4g@mail.gmail.com>

On Thu, Dec 12, 2013 at 3:56 PM, Mark Nottingham <mnot@mnot.net> wrote:

> Based on this discussion, it sounds like I can go ahead and remove h2r and
> refine the semantics of h2t to include the HTTP URI use case (i.e., no auth
> if on the same host, strong auth if on a different host).
>

> Make sense?
>

I am not sure it makes sense, but also I am not sure I understand the
proposal. It seems like you are proposing to move the defense against MitM
from TLS to the HTTP layer, where the HTTP layer will try to prevent MitM
by checking the scheme on each individual request. However, in HTTP/2,
isn't it the case that there are other types of things that get sent and
received on the connection besides requests and responses? Option
negotiation and whatnot? How would the server know that *those* things,
which don't have URIs associated with them, are authenticated or not?

Again, I think I might be misunderstanding the proposal, and more clarity
would be helpful.

Cheers,
Brian

Received on Saturday, 14 December 2013 20:57:40 UTC