W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: New Version Notification for draft-nottingham-http2-encryption-03.txt

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 22 May 2014 12:56:09 +1000
Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <0DF71B50-A1D1-422A-ADB8-C1DF58A65255@mnot.net>
To: "William Chan (陈智昌)" <willchan@chromium.org>

On 22 May 2014, at 10:25 am, William Chan (陈智昌) <willchan@chromium.org> wrote:

> I've skimmed the draft in more detail now and have nits:
> 
> * Grammar in section 6.3. - "A browser client MUST clear persisted all alternative service information when clearing other origin-based state (i.e., cookies).”

Fixed in-repo, thanks.

> * Please consistently use "alternative services" instead of "alternate services”.

Dang, missed one.

> 
> I don't feel very strongly, but I am not sure where the times for the operational considerations are coming from. IIRC, HSTS and HPKP use much longer max-ages. Why does this draft suggest capping at 1 month?

Martin?

> 
> Cheers.
> 
> 
> On Mon, May 19, 2014 at 8:59 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> On 19 May 2014 20:42, Mark Nottingham <mnot@mnot.net> wrote:
> > FYI - Martin went away and did some substantial revision of this draft, and is now an author.
> 
> The changes incorporate a draft you might have seen, but I didn't
> announce.  The main innovation here is a way to make the whole thing
> sticky in an effort to reduce the opportunity for downgrade attack.
> Pretty standard stuff, but included as a bit of a thought experiment
> as well as a bit of a test to see what people think.
> 
> 

--
Mark Nottingham   http://www.mnot.net/
Received on Thursday, 22 May 2014 02:56:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC