- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 13 Jan 2016 22:17:24 +0100
- To: Martin Thomson <martin.thomson@gmail.com>, Kyle Rose <krose@krose.org>
- Cc: Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
On 2016-01-13 04:22, Martin Thomson wrote: > On 13 January 2016 at 14:03, Kyle Rose <krose@krose.org> wrote: >>> 1. the alternative service must be authenticated as the origin host >> >> If this is the case, then we should simply state that "Clients MUST >> NOT use an alternative service that does not strongly authenticate >> with the origin's identity." > > There may be some reluctance to write text that duplicates other RFCs. > > I think that we can get over that and include that statement. Adding > a citation for RFC 7230 should avoid any potential confusion about > whether this is intended to override any guidance there. > >>> 2. if the alt-svc advertisement isn't authenticated, the host can't be >>> different to the origin. > ... >> "Clients MUST NOT use an alternative service whose host is different >> from the origin's if the alternative service advertisement was not >> strongly authenticated." > > That works for me. Julian, do you think that these statements could > be added to the root of Section 9? I welcome concrete text or pull request. That being said, if we add/change normative statements, this should go into the main part of the spec, not the security considerations... Best regards, Julian
Received on Wednesday, 13 January 2016 21:17:47 UTC