Re: Alt-Svc WGLC from Martin Thomson on 2016-01-14 (ietf-http-wg@w3.org from January to March 2016)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 14 Jan 2016 14:04:16 +1100
To: Erik Nygren <erik@nygren.org>
Cc: Kyle Rose <krose@krose.org>, Julian Reschke <julian.reschke@gmx.de>, Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnUCY4tOOtrH8VV5yFaRQ1OhEAqvh6kV30pmtSSF8EzmVA@mail.gmail.com>

On 14 January 2016 at 09:42, Erik Nygren <erik@nygren.org> wrote:
> Clients MUST NOT use alternative services
> without strong server authentication; this mitigates the attack described in
> Section 9.2.

Does this refer to the alternative service server, or the server that
advertises the alternative service?  That's a major source of
confusion here.

Received on Thursday, 14 January 2016 03:04:46 UTC