Re: constraining scheme (http vs https) on a connection from Erik Nygren on 2016-05-31 (ietf-http-wg@w3.org from April to June 2016)

From: Erik Nygren <erik@nygren.org>
Date: Tue, 31 May 2016 18:31:58 -0400
To: Mark Nottingham <mnot@mnot.net>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <CAKC-DJhRX1Ac212_A-+h9ygDYidgxtK9RAHhWZP892uM9OEUgA@mail.gmail.com>

Filed for the opp-sec draft where this is most relevant:

     https://github.com/httpwg/http-extensions/issues/188

In particular, mixing of secure and insecure schemes should require
server-side opt-in over a strongly authenticated channel.  (eg, an
attribute of /.well-known/http-opportunistic with properties similar to
"commit" as for where it can be set).

     Erik


At the least, we should warn about the issues that might be encountered.
> Servers can then choose not to advertise services like this, and clients
> can choose not to consume them.
>

Received on Tuesday, 31 May 2016 22:32:25 UTC