On Thu, Dec 12, 2013 at 3:56 PM, Mark Nottingham <mnot@mnot.net> wrote: > Based on this discussion, it sounds like I can go ahead and remove h2r and > refine the semantics of h2t to include the HTTP URI use case (i.e., no auth > if on the same host, strong auth if on a different host). > > Make sense? > I am not sure it makes sense, but also I am not sure I understand the proposal. It seems like you are proposing to move the defense against MitM from TLS to the HTTP layer, where the HTTP layer will try to prevent MitM by checking the scheme on each individual request. However, in HTTP/2, isn't it the case that there are other types of things that get sent and received on the connection besides requests and responses? Option negotiation and whatnot? How would the server know that *those* things, which don't have URIs associated with them, are authenticated or not? Again, I think I might be misunderstanding the proposal, and more clarity would be helpful. Cheers, BrianReceived on Saturday, 14 December 2013 20:57:40 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:39 UTC