Mark's coalescing proposal

I think that this is mostly right:

>>>
Partial proposal: insert after 9.1 Connection Management second paragraph:

Clients MAY use a single connection for more than one origin when each
origin's hostname resolves to the same IP address, and they share the
same port. When an origin's scheme is "https", the server's
certificate MUST be valid for the origin's hostname to be used in this
fashion; this might be accomplished using a "wildcard certificate",
subjectAltName [RFC3280], or some other mechanism.
<<<

However, 3280 is out of date.  I wonder if 6125 is not a better
reference to use here.  As in:

When an origin's scheme is "https", the server MUST be authenticated,
either by validating the server certificate against the hostname in
the origin [RFC6125], or by some other mechanism.

Received on Friday, 31 January 2014 18:23:38 UTC