- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 11 Mar 2016 16:27:28 +1100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: HTTP WG <ietf-http-wg@w3.org>
OK, I merged this and did some editorial adjustments, see: https://github.com/httpwg/http-extensions/compare/ab374d6...master?name=master&short_path=fd50b7c#diff-fd50b7c5883e57d650fa3ac7f47c12f9 Martin, one question -- right now, it's written in such a way that 'commit' is effectively an optional feature (for servers *and* clients). Was that your intent, and if so should it be made more explicit? Right now, it's a bit confusing because you use both "requiring" and "clients can" regarding this feature. If folks are OK with all of that, I think we can close #67, #144 and #145: https://github.com/httpwg/http-extensions/issues?q=is%3Aopen+is%3Aissue+label%3Aopp-sec The only thing remaining then is Kari's suggestion that the .well-known file also include the alternatives, to mitigate the case when an attacker has 1) the ability to inject response headers, 2) the ability to listen on a port on the same host, and 3) doesn't have the ability to modify .well-known (AKA "shared hosting w/ shell access"). Thoughts? > On 8 Mar 2016, at 2:55 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > > On 8 March 2016 at 13:54, Mark Nottingham <mnot@mnot.net> wrote: >> OK, I've taken a stab at this here: >> https://github.com/httpwg/http-extensions/commit/c7324f4804f > > That looks like what we discussed. > >> Martin, I just left the HTTP-TLS stuff in for now; Martin, do you want to try to integrate it into the well-known stuff? > > See https://github.com/httpwg/http-extensions/pull/151 > -- Mark Nottingham https://www.mnot.net/
Received on Friday, 11 March 2016 05:28:02 UTC