Re: Alt-Svc WGLC

On 2016-01-13 04:22, Martin Thomson wrote:
> On 13 January 2016 at 14:03, Kyle Rose <krose@krose.org> wrote:
>>> 1. the alternative service must be authenticated as the origin host
>>
>> If this is the case, then we should simply state that "Clients MUST
>> NOT use an alternative service that does not strongly authenticate
>> with the origin's identity."
>
> There may be some reluctance to write text that duplicates other RFCs.
>
> I think that we can get over that and include that statement.  Adding
> a citation for RFC 7230 should avoid any potential confusion about
> whether this is intended to override any guidance there.
>
>>> 2. if the alt-svc advertisement isn't authenticated, the host can't be
>>> different to the origin.
> ...
>> "Clients MUST NOT use an alternative service whose host is different
>> from the origin's if the alternative service advertisement was not
>> strongly authenticated."
>
> That works for me.  Julian, do you think that these statements could
> be added to the root of Section 9?

I welcome concrete text or pull request. That being said, if we 
add/change normative statements, this should go into the main part of 
the spec, not the security considerations...

Best regards, Julian

Received on Wednesday, 13 January 2016 21:17:47 UTC