- From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
- Date: Thu, 23 Jun 2016 17:56:39 +0300 (EEST)
- To: Martin Thomson <martin.thomson@gmail.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
- CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, HTTP working group mailing list <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>, Mike Bishop <Michael.Bishop@microsoft.com>
> On 23 June 2016 at 02:36, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote: > > Now this does not look very dangerous, because if http-opportunistic > > is used only for commintment, then there is no "tls-ports". > > That was my assessment. The entire structure is either valid or > invalid as a whole. https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-06#section-5.1 | When the value of the "tls-commit" member is "true" ([RFC7159], | Section 3), it indicates that the origin makes such a commitment for | the duration of the origin object lifetime. | | | { | "http://www.example.com": { | "tls-ports": [443,8080], | "tls-commit": true, | "lifetime": 3600 | } | } Should this example omit "tls-ports" member ? "tls-commit" requires valid certificate: https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-06#section-5.1 | be applied to authenticating the alternative. Minimum authentication | requirements for HTTP over TLS are described in Section 2.1 of | [RFC7838] and Section 3.1 of [RFC2818]. As noted in [RFC7838], | clients can impose other checks in addition to this minimum set. For | instance, a client might choose to apply key pinning [RFC7469]. And "tls-ports" is use for situation when there is no valid certificate: https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-06#section-3 | This allows deployment without the use of valid certificates, to | encourage deployment of opportunistic security. When it is in use, | the alternative service can provide any certificate, or even select | TLS cipher suites that do not include authentication. | o The origin object of the http-opportunistic response has a `tls- | ports' member, whose value is an array of numbers, one of which | matches the port of the alternative service in question, and / Kari Hurtta
Received on Thursday, 23 June 2016 14:57:11 UTC