Re: Alt-Svc WGLC from Kyle Rose on 2016-01-14 (ietf-http-wg@w3.org from January to March 2016)

From: Kyle Rose <krose@krose.org>
Date: Wed, 13 Jan 2016 22:36:08 -0500
To: Erik Nygren <erik@nygren.org>
Cc: Martin Thomson <martin.thomson@gmail.com>, Julian Reschke <julian.reschke@gmx.de>, Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAJU8_nW+hypSdq5ntrnMgg4LbL-tc4m57TB6OXOVHD+E9Xnz9w@mail.gmail.com>

On Wed, Jan 13, 2016 at 10:21 PM, Erik Nygren <erik@nygren.org> wrote:
> I'd been assuming the alternative service server.  Good point we should be
> more explicit.
> Perhaps:
>
> Clients MUST NOT use alternative services without strong server
> authentication to the alternative using the name of the origin; this
> mitigates the attack described in Section 9.2.

I might go with my wording from earlier in the thread: "Clients MUST
NOT use an alternative service that does not strongly authenticate
with the origin's identity; this mitigates the attack described in
Section 9.2."

Kyle

Received on Thursday, 14 January 2016 03:36:37 UTC