W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: Mark's coalescing proposal

From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Sat, 01 Feb 2014 19:23:32 +0000
Message-ID: <52ED49B4.5000100@isode.com>
To: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>
Hi Martin,

On 31/01/2014 18:23, Martin Thomson wrote:
> I think that this is mostly right:
>
> Partial proposal: insert after 9.1 Connection Management second paragraph:
>
> Clients MAY use a single connection for more than one origin when each
> origin's hostname resolves to the same IP address, and they share the
> same port. When an origin's scheme is "https", the server's
> certificate MUST be valid for the origin's hostname to be used in this
> fashion; this might be accomplished using a "wildcard certificate",
> subjectAltName [RFC3280], or some other mechanism.
> <<<
>
> However, 3280 is out of date.  I wonder if 6125 is not a better
> reference to use here.  As in:
>
> When an origin's scheme is "https", the server MUST be authenticated,
> either by validating the server certificate against the hostname in
> the origin [RFC6125], or by some other mechanism.
If you want to do that, you need to define:
1) whether wildcards are allowed or not
2) whether CN-ID (CN=<hostname> in the subject DN) is allowed or not
3) whether DNS-ID is allowed or not.

So basically you can't just say "use RFC 6125", you need a bit more 
information.
Received on Saturday, 1 February 2014 19:23:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC