- From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
- Date: Tue, 9 Jun 2015 21:48:54 +0300
- To: Mike Bishop <Michael.Bishop@microsoft.com>
- Cc: Yoav Nir <ynir.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Jun 09, 2015 at 05:51:39PM +0000, Mike Bishop wrote: > > Martin's approach, along with the early-renegotiation dance in the > HTTP/2 spec, still forces the creation of a new TLS connection, > something we'd prefer to avoid. It's better than HTTP_1_1_REQUIRED > in that it lets the client keep using HTTP/2, but worse in that it > mixes the TLS and HTTP layers, something we'd also prefer to minimize. If one really wants to avoid new TLS connection creation in something that could be actually secure, one would have to support SPDY-style client certificate slots, presumably signaling which slot to use per request in Authorization: header. This is because changing connection authentication mid-connection is asking for security problems (especially if client side is a browser), even if no proxies are involved. Of course, doing SPDY-style auth safely requires EMS or TLS 1.3+. -Ilari
Received on Tuesday, 9 June 2015 18:49:20 UTC