Re: Alt-Svc WGLC from Martin Thomson on 2016-01-11 (ietf-http-wg@w3.org from January to March 2016)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 12 Jan 2016 10:43:38 +1100
To: Kyle Rose <krose@krose.org>
Cc: Julian Reschke <julian.reschke@gmx.de>, Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnWu-oy9Ax1A=E+4GJ47YGKZa3SLHi0a5kendxNX=q5zaQ@mail.gmail.com>

On 12 January 2016 at 03:05, Kyle Rose <krose@krose.org> wrote:
> How about "Clients MUST NOT use an alternative service with a host
> that is different from the origin's without strong server
> authentication of the alternative service declaration"?

That changes the intent.  The server that is ultimately contacted
(after all the alt-svc shenannigans) MUST be authoritative for the
origin of the resources that it serves.

Yes, we want to authenticate the alt-svc declaration, but that isn't
actually a necessary precondition on getting what we really want: an
authority for the resource itself.

Received on Monday, 11 January 2016 23:44:06 UTC