- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 17 Jun 2015 13:15:33 +1000
- To: Stefan Eissing <stefan.eissing@greenbytes.de>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
> On 16 Jun 2015, at 6:32 pm, Stefan Eissing <stefan.eissing@greenbytes.de> wrote: > > Reading (again) https://httpwg.github.io/http-extensions/encryption.html, some questions: > > * If configuring a old-school http/1 only server for this, the Alt-Svc announcement would be: > Alt-Svc: http/1.1=":81" > ? See <https://httpwg.github.io/http-extensions/encryption.html#confusion-regarding-request-scheme>; "HTTP/1.1 MUST NOT be used for opportunistically secured requests." > > * Ch. 5.1 > "When it appears in a HTTP response from a strongly authenticated alternative service..." > This means the certificate is valid for the alt-svc host that can be different from the > host in the http:// url originally requested, right? > Example: > GET http://test.example.org/opportunistic > -> Alt-Svc: h2="h2.example.biz:81" > -> GET http://test.example.org/opportunistic via TLS+h2 connection to h2.example.biz:81 > "strongly authenticated" meaning connection presents valid cert for h2.example.biz, has acceptable cipher, etc. > > * Given that the example above is correct, what protocol does h2.example.biz:81 need to implement? > Will it be something like RFC 7540, but ignoring the special security requirements for TLS? Which parts would still apply to a server implementing this? > > I am asking out of interest to implement this and easing configuration, at least giving advice, for people who want to have this working on their httpd installation. > > As for testing, are there clients/canaries already implementing this? > > Thanks for the help. > > //Stefan > > <green/>bytes GmbH > Hafenweg 16, 48155 Münster, Germany > Phone: +49 251 2807760. Amtsgericht Münster: HRB5782 > > > > -- Mark Nottingham https://www.mnot.net/
Received on Wednesday, 17 June 2015 03:16:17 UTC