W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: TLS Renegotiation and HTTP/2 (#363)

From: Yoav Nir <ynir.ietf@gmail.com>
Date: Tue, 1 Apr 2014 20:41:37 +0300
Cc: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <9AD609B3-077E-4BA3-A5F7-3B958CD22D10@gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>

On Apr 1, 2014, at 8:18 PM, Martin Thomson <martin.thomson@gmail.com> wrote:

> On 1 April 2014 07:21, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> But youíve convinced me - we should add the channel bindings to the signed data.
> This looks quite similar to the CREDENTIAL frame when you do it that way.

Sure. In general, HTTP authentication schemes are not tied to a connection. So if a resource requires authorization, the client can send the Authorization header with the first request without waiting for the 401.

This scheme would depend on having the challenge and Authorization header in the same connection, and also depend on the TLS state. I wonder if people would consider that a problem.

With sufficient time for the working groups to discuss this, I think both CREDENTIAL and authentication method are better than starting a new, client-authenticated connection in that they donít require a connection. But your catch draft can probably get published sooner than either of them.

Received on Tuesday, 1 April 2014 17:42:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:29 UTC