- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 22 Oct 2014 21:09:53 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>
https://github.com/http2/http2-spec/pull/632 As Mike observes: "The server might know as soon as the connection is established that it will want the cert, but want it protected by the handshake. Either endpoint, not just the client, may choose to renegotiate before sending their preface." The current text notes that the client is permitted to renegotiate; Mike is requesting that we allow the server the same opportunity. I think that this is in line with the intent of the text. There is however a race between the servers HelloRequest at the TLS layer and the first flight of application data from a client that is doing false start. But we already have the same race for clients that initiate renegotiation when they are not doing false start, so this isn't really new. The only difference being that this causes a race with real requests, and not just SETTINGS. I think that - on balance - this is OK. This would allow a server that (unconditionally) requires client authentication to provide confidentiality protection for client credentials. (I personally like confidentiality protection very much, so this might just be my bias...)
Received on Thursday, 23 October 2014 04:10:20 UTC