W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: New Version Notification for draft-nottingham-http2-encryption-03.txt

From: Martin Nilsson <nilsson@opera.com>
Date: Wed, 21 May 2014 08:56:24 +0200
To: William Chan (陈智昌) <willchan@chromium.org>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Message-ID: <op.xf66wa14iw9drz@uranium.arthotel.pl>
On Wed, 21 May 2014 00:55:42 +0200, William Chan (陈智昌)  
<willchan@chromium.org> wrote:

> Transport security is very different from web security. For example,  
> only some of the resources in a webpage may be opportunistically  
> encrypted >with strong authentication. If there's active content like  
> script that's loaded without transport security, that can compromise the  
> entire page.

Yes, of course. I'm asking about the case where everything is equivalent  
with if the page were loaded as https. Certificates check out, all  
dependencies are secure, etc. Section 6.1 states that the page MUST NOT be  
indicated to be secure, even though there is no practical difference.

/Martin Nilsson

Using Opera's revolutionary email client: http://www.opera.com/mail/
Received on Wednesday, 21 May 2014 06:56:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC