- From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
- Date: Wed, 02 Mar 2016 19:12:18 +0000
- To: HTTP WG <ietf-http-wg@w3.org>
- Cc: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Mark Nottingham <mnot@mnot.net>
( commenting myself ... ) Kari Hurtta <hurtta-ietf@elmme-mailer.org>: (Wed Mar 2 19:02:46 2016) > | For the purposes of this specification, there are two ways to achieve > | this: > | > | • Using TLS with a certificate that validates as per [RFC2818], or > | • Confirming that both the origin and the alternative service support > | this specification by obtaining a 200 (OK) response for the "http-tls" > | well-known URI (section X). > | > | The latter approach allows deployment without the use of valid > | certificates, to encourage deployment of opportunistic security. > | Therefore, in these cases the alternative service can provide any > | certificate, or even select TLS cipher suites that do not include > | authentication. > > 1) This seems not specify that alternative is same host than > origin in case when valid certificate is not required > > There fore "http-tls" well-known URI on _alternative_ > must include origin -name (method, host, port) 'method' should be "http" because "https" already requires valid certificate. But maybe browser may want check well-known URI for https -method on some cases. That is not required, but browser may do extra checks. ( And anyway defination of origin includes method. ) Certificate does not tell method and port, only name (and it may be *.example.com). Perhaps other checks are like "certificate for alternative must be equal strong as for original". ( Domain Validated, Organization Validated, Extended Validated is wildcard used on certificate name? what is signing algorithm? have certificate same validation chain? and then negatiated TLS parameters ) > 2) If origin does not filter Alt-Svc: -headers, > http://origin/~attacker/ skript can still > produce > Alt-Svc: h2=":8000" > > and if origin runs it own real alternative on port 81 > then it will have "http-tls" well-known URI > > There fore "http-tls" well-known URI on _origin_ > must include alternative (host and port). > > > Because it is alternative > "http-tls" well-known URI on _origin_ and _alternative_ > must be same. > > Therefore "http-tls" well-known URI must include > origin -name and alternative (host and port). / Kari Hurtta
Received on Wednesday, 2 March 2016 21:36:47 UTC