Re: New Version Notification for draft-nottingham-http2-encryption-03.txt from Martin Nilsson on 2014-05-21 (ietf-http-wg@w3.org from April to June 2014)

From: Martin Nilsson <nilsson@opera.com>
Date: Wed, 21 May 2014 08:56:24 +0200
To: William Chan (陈智昌) <willchan@chromium.org>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Message-ID: <op.xf66wa14iw9drz@uranium.arthotel.pl>

On Wed, 21 May 2014 00:55:42 +0200, William Chan (陈智昌)  
<willchan@chromium.org> wrote:

>
> Transport security is very different from web security. For example,  
> only some of the resources in a webpage may be opportunistically  
> encrypted >with strong authentication. If there's active content like  
> script that's loaded without transport security, that can compromise the  
> entire page.

Yes, of course. I'm asking about the case where everything is equivalent  
with if the page were loaded as https. Certificates check out, all  
dependencies are secure, etc. Section 6.1 states that the page MUST NOT be  
indicated to be secure, even though there is no practical difference.

/Martin Nilsson

-- 
Using Opera's revolutionary email client: http://www.opera.com/mail/

Received on Wednesday, 21 May 2014 06:56:53 UTC