Re: draft-ietf-httpbis-http2-encryption-06.txt

> On 23 June 2016 at 02:36, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote:
> > Now this does not look very dangerous, because if http-opportunistic
> > is used only for commintment, then there is no "tls-ports".
> 
> That was my assessment.  The entire structure is either valid or
> invalid as a whole.

https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-06#section-5.1

|   When the value of the "tls-commit" member is "true" ([RFC7159],
|   Section 3), it indicates that the origin makes such a commitment for
|   the duration of the origin object lifetime.
|
| 
|   {
|     "http://www.example.com": {
|       "tls-ports": [443,8080],
|       "tls-commit": true,
|       "lifetime": 3600
|     }
|   }

Should this example omit "tls-ports" member ?

"tls-commit" requires valid certificate:

https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-06#section-5.1

|   be applied to authenticating the alternative.  Minimum authentication
|   requirements for HTTP over TLS are described in Section 2.1 of
|   [RFC7838] and Section 3.1 of [RFC2818].  As noted in [RFC7838],
|   clients can impose other checks in addition to this minimum set.  For
|   instance, a client might choose to apply key pinning [RFC7469].


And "tls-ports" is use for situation when there is no valid certificate:

https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-06#section-3

|   This allows deployment without the use of valid certificates, to
|   encourage deployment of opportunistic security.  When it is in use,
|   the alternative service can provide any certificate, or even select
|   TLS cipher suites that do not include authentication.


|   o  The origin object of the http-opportunistic response has a `tls-
|      ports' member, whose value is an array of numbers, one of which
|      matches the port of the alternative service in question, and

/ Kari Hurtta

Received on Thursday, 23 June 2016 14:57:11 UTC