- From: Kari hurtta <hurtta-ietf@elmme-mailer.org>
- Date: Thu, 8 Sep 2016 20:16:30 +0300 (EEST)
- To: HTTP working group mailing list <ietf-http-wg@w3.org>
- CC: Kari hurtta <hurtta-ietf@elmme-mailer.org>
https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0570.html
> The .wk, even absent tls-commit, brings with it a couple properties that
> have been argued for here in the past. Erik (and maybe Kari? Sorry for not
> looking it up) made strong cases that in the case of http:// over tls the
> alternate needs a stronger opt in than TLS auth provides in order to
> confirm that it is an alternate for a specific origin (including especially
> the scheme). I think the concern is that if a host does indeed have a cert
> for foo.example.com on port 443 (deployed to serve https) but that doesn't
> mean it wants to see requests for http://foo.example.com there..
I did not wrote about this (I think), but I agree.
> fwiw I agree that 7838 allows http over TLS with auth. But if we feel there
> is a stronger way to do that with concerns that are specific to the http://
> scheme, there's nothing wrong with defining that - especially if that's
> what is implemented.
It make sense that client want see
GET /.well-known/http-opportunistic HTTP/1.1
Host: www.example.com
HTTP/1.1 200 OK
Content-Type: application/json
Connection: close
{
"http://www.example.com": {
"lifetime": 86400
}
}
on alternative service to indicate that this port is meant for
http:// scheme.
Otherwise valid certificate may be just for https:// scheme.
And
GET /.well-known/http-opportunistic HTTP/1.1
Host: www.example.com
HTTP/1.1 200 OK
Content-Type: application/json
Connection: close
{
"http://www.example.com": {
"lifetime": 86400,
"mixed-scheme": true
}
}
is stronger case for that.
Client may require other indications
than just these what RFC 7838
"HTTP Alternative Services" says.
Mentioning that possibility on
/.well-known/http-opportunistic
specification makes sense.
https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0566.html
> 1] opportunistic security should require TLS authentication.
I have not yet strong preference here.
If TLS authentication is required, then
seems that "tls-port" can be get rid of.
Client of course can require TLS authentication
always.
> 3] get rid of tls-commit (i.e. the latch to opp sec) as this plays very
> poorly with alt-svc.
Make sense.
I also had on my last comments some notes about that lifetime
of commitment (unclear specification)
https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0087.html
https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0008.html
https://lists.w3.org/Archives/Public/ietf-http-wg/2016AprJun/0431.html
I also noted that "tls-commit" does not require
/.well-known/http-opportunistic on alternative service.
https://lists.w3.org/Archives/Public/ietf-http-wg/2016AprJun/0409.html
I agree to get rid of "tls-commit" for simplify.
=====
So /.well-known/http-opportunistic becomes
to check that TLS port is meant for http -scheme
(and perhaps that origin and alternative service
both gives same /.well-known/http-opportunistic ).
/ Kari Hurtta
Received on Thursday, 8 September 2016 17:17:01 UTC