Re: TLS ALPN Proposal v3 from Patrick McManus on 2015-07-22 (ietf-http-wg@w3.org from July to September 2015)

From: Patrick McManus <mcmanus@ducksong.com>
Date: Wed, 22 Jul 2015 11:06:21 +0200
To: Stefan Eissing <stefan.eissing@greenbytes.de>
Cc: McManus Patrick <mcmanus@ducksong.com>, Martin Thomson <martin.thomson@gmail.com>, Bradford Wetmore <bradford.wetmore@oracle.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAOdDvNppxcimCDwGno6mioQhhcJsy=E8HZSRYZPtQuKcP3iQcQ@mail.gmail.com>

On Wed, Jul 22, 2015 at 10:46 AM, Stefan Eissing <
stefan.eissing@greenbytes.de> wrote:

> You assume that a client talks to a server and that these two determine
> the security of the connection at connection setup.
>
>
>
But does it also imply that CDNs may only talk h2 to clients if the backend
> connection they might possibly need is also h2 with all security
> requirements followed? And if the backend connection needs to be
> setup/reopened and fails some requirements, must all client connections be
> dropped?
>
>
unless I am seriously misunderstanding the state of the art (or your
comment) the CDN presents itself as the origin (e.g. it has a TLS cert
valid for the origin). Whether it satisfies a request locally, via gateway
as some version of HTTP, or through gatewaying ftfp is immaterial to the
communication with the client. The CDN-based-origin could speak h2 to the
client in all those scenarios but it would have to do so over tls 1.2 and
with a cipher suite acceptable to rfc 7540.



> , I think this is not some esoteric gedankenmodell, but a real world
> scenario.
>

I don't know what that means (beyond the obvious guess), but I like the way
it sounds in my head :)

Received on Wednesday, 22 July 2015 09:06:47 UTC