- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 13 Jan 2016 14:22:11 +1100
- To: Kyle Rose <krose@krose.org>
- Cc: Julian Reschke <julian.reschke@gmx.de>, Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
On 13 January 2016 at 14:03, Kyle Rose <krose@krose.org> wrote: >> 1. the alternative service must be authenticated as the origin host > > If this is the case, then we should simply state that "Clients MUST > NOT use an alternative service that does not strongly authenticate > with the origin's identity." There may be some reluctance to write text that duplicates other RFCs. I think that we can get over that and include that statement. Adding a citation for RFC 7230 should avoid any potential confusion about whether this is intended to override any guidance there. >> 2. if the alt-svc advertisement isn't authenticated, the host can't be >> different to the origin. ... > "Clients MUST NOT use an alternative service whose host is different > from the origin's if the alternative service advertisement was not > strongly authenticated." That works for me. Julian, do you think that these statements could be added to the root of Section 9?
Received on Wednesday, 13 January 2016 03:22:40 UTC