Re: #492: Alt-Svc header host restriction from Martin Thomson on 2014-06-04 (ietf-http-wg@w3.org from April to June 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 4 Jun 2014 09:33:27 -0700
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnUM3rw8DYwZt=spKZtAY5yPpM99Ksrh3qV9=v4NqKPu1g@mail.gmail.com>

On Jun 4, 2014 9:15 AM, "Mark Nottingham" <mnot@mnot.net> wrote:
>
> When we were originally working on Alt-Svc, Patrick and I put a
restriction on the Alt-Svc header field so that it couldn’t redirect
clients to a different host.
>
> Since then, several people have pointed out that the requirement to have
strong server authentication, as well as cache flushing, seems to contain
the risk associated with doing this, and that the facility could be quite
useful.

This sounds fine.

I think that this restriction still belongs in the -encryption draft.

Received on Wednesday, 4 June 2014 16:33:54 UTC