non authenticated alternate services (was Re: AD review of draft-ietf-httpbis-alt-svc-10)

Hi All, I apologize for letting this discussion go to my backlog. As Barry
suggested, some of us need longer than others to shake off the new year's
fog.

tl;dr; I've come to agree that an additional out of band check with an
origin advertising an an-authenticated alt-service has value and we should
modify the document to define that. It certainly has more value than either
the port scheme or just allowing same host ports. Maybe something like the
.well-known approach Kari suggests would be fine. Its certainly slow, but
the whole thing migration is asynchronous anyhow so that's not a deal
killer.

I'm actually glad the port number nonsense got called out. It didn't have
real value and its the kind of window dressing only a committee could love
(I say lovingly, as member of said committee.). Although moot now, I
disagree that it was doing any harm by giving people a sense of self
confidence - in general I think that kind of argument is too clever by
half, people are generally paying no attention or less often paying enough
attention to think it through.

I do have a concern that when reviewing the registry of .well-known
https://www.iana.org/assignments/well-known-uris/well-known-uris.xml it
isn't exactly overrun with well-used mechanisms. It seems to me .well-known
is often offered up in the solutions space but not implemented as often.

I'm happy to help draft text if no one else wants to. Perhaps Mark, as
author of rfc 5785, might want to suggest a structure. (do we need a
separate document?) I think it can probably be a white list of
advertisements on separate lines and also allowing *, but that's just an
opening bid.

onward,
-Patrick

Received on Saturday, 16 January 2016 20:05:21 UTC