W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: -encryption draft -01

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 29 Jan 2015 23:26:01 +0100
Message-ID: <54CAB379.6000002@gmx.de>
To: Martin Thomson <martin.thomson@gmail.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2014-12-16 18:46, Martin Thomson wrote:
> Feedback, structured or not, is always welcome.
>
> I didn't realize just how riddled this was with little bugs.
>
>>     A client can also explicitly probe for an alternative service
>>     advertisement by sending a request that bears little or no sensitive
>>     information, such as one with the OPTIONS method.  Likewise, clients
>>     with existing alternative services information could make such a
>>     request before they expire, in order minimize the delays that might
>>     be incurred.
>>
>> Q: How is OPTIONS better than HEAD?
>
> I believe that either is fine.  This is a f'rexample only.  I think
> that we had a discussion where (and I'm going to rely on bad memory)
> Roy suggested OPTIONS over HEAD.  OPTIONS * allows a client to learn
> things without perhaps revealing what resource it might be interested
> in.
>
>> 6.4. Confusion Regarding Request Scheme
>>
>>     ...
>>
>>     HTTP/1.1 MUST NOT be sent over HTTP/1.1 or earlier versions of the
>>     protocol.  Opportunistically secured HTTP requests MUST include an
>>     explicit scheme identifier.
>>
>> Doesn't compute.
>
> Whoa, I was in a hurry, but I didn't realize it was that bad.  That's
> awful.  Here's what the next version will say.
>
> "HTTP/1.1 MUST NOT be used for opportunistically secured requests."

I stumbled upon this today again, so I took he freedom to fix it myself 
(along with some typos): 
<https://github.com/httpwg/http-extensions/commit/7018bfe3f97b38c94c3502c2f3b82b10290b87d6>

Best regards, Julian
Received on Thursday, 29 January 2015 22:26:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:42 UTC