Authentication in Alternative Services (draft-ietf-httpbis-alt-svc-06)

Hi,
Hi,
- It feels like the normative text about authentication is in the wrong place. I think the authentication text in the beginning of Section 2 “Importantly, … being used)” belongs in Section 2.1. (Section 9.2 even states that this requirement is in Section 2.1, which it currently isn’t).
- As the draft forces alternative services to be strongly authenticated with the origin’s identity, the draft should also discuss the security issues of having private keys for the origin spread out in several different locations.
- Can an “alternative service” advertise alternative services (using Alt-Svc or ALTSVC)? There is no discussion in the draft. An alternative service is clearly authoritative for an origin (sometime more than the origin server), but allowing an alternative service to send Alt-Svc or ALTSVC means that an alternative service can keep a client away from the origin server forever.
- There is a short mention on using DoS as a downgrade attack but there is no discussion on a man-in-the-middle simply removing an Alt-Svc header with higher security. Maybe a security consideration section on downgrade attacks makes sense.
Cheers, John


JOHN MATTSSON
MSc Engineering Physics, MSc Business Administration and Economics
Ericsson IETF Security Coordinator
Senior Researcher, Security

Ericsson AB
Ericsson Research
Färögatan 6
SE-164 80 Stockholm, Sweden
Phone +46 10 71 43 501
SMS/MMS +46 76 11 53 501
john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>
www.ericsson.com<http://www.ericsson.com/>