Re: Alt-Svc WGLC from Erik Nygren on 2016-01-14 (ietf-http-wg@w3.org from January to March 2016)

From: Erik Nygren <erik@nygren.org>
Date: Wed, 13 Jan 2016 22:21:19 -0500
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Kyle Rose <krose@krose.org>, Julian Reschke <julian.reschke@gmx.de>, Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAKC-DJjn50FiX8G+Nm4s3bf5X9X5oG3dk2qQ7w_q3WzhKy4wrg@mail.gmail.com>

I'd been assuming the alternative service server.  Good point we should be
more explicit.
Perhaps:

Clients MUST NOT use alternative services without strong server
authentication to the alternative using the name of the origin; this
mitigates the attack described in Section 9.2.

(The following paragraph gives an example)

On Wed, Jan 13, 2016 at 10:04 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 14 January 2016 at 09:42, Erik Nygren <erik@nygren.org> wrote:
> > Clients MUST NOT use alternative services
> > without strong server authentication; this mitigates the attack
> described in
> > Section 9.2.
>
>
> Does this refer to the alternative service server, or the server that
> advertises the alternative service?  That's a major source of
> confusion here.
>

Received on Thursday, 14 January 2016 03:21:48 UTC