- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 25 Apr 2014 11:05:19 -0700
- To: Erik Nygren <erik@nygren.org>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 25 April 2014 10:42, Erik Nygren <erik@nygren.org> wrote: > particularly concerned clients could ignore the ALTSVC sent by the server. That's the extreme option. I'm thinking that we might just be able to scrub the expiry time and maybe even allow the first domain component to be replaced with '*', so that wildcard certificate owners are unable to use 'somehighentropylabel.example.com' as their ALTSVC in the interests of tracking. I need to think about that last one a little more, it might be that it's overkill.
Received on Friday, 25 April 2014 18:05:47 UTC