- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 25 Apr 2014 10:34:18 +1000
- To: HTTP Working Group <ietf-http-wg@w3.org>
<https://github.com/http2/http2-spec/issues/444> > For the load balancing use case, it's necessary for clients to always flush altsvc cache upon a network change, but right now they're only required to examine the cache for suspicious entries. We should discuss whether this should be upgraded to always flush. I think the logical proposal would be to change <http://http2.github.io/http2-spec/alt-svc.html#caching> """ To mitigate risks associated with caching compromised values (see Section 7.2 for details), user agents should examine cached alternative services when they detect a change in network configuration, and remove any that could be compromised (for example, those whose association with the trust root is questionable). UAs that do not have a means of detecting network changes should place an upper bound on their lifetime. """ to read: """ To mitigate risks associated with caching compromised values (see Section 7.2 for details), user agents should remove all cached alternative services when they detect a change in network configuration. UAs that do not have a means of detecting network changes should place an upper bound on their lifetime. """ Thoughts? Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Friday, 25 April 2014 00:33:16 UTC