Re: last call Feedback for Opportunistic Security for HTTP (Experimental)

> The .wk, even absent tls-commit, brings with it a couple properties that
> have been argued for here in the past. Erik (and maybe Kari? Sorry for not
> looking it up) made strong cases that in the case of http:// over tls the
> alternate needs a stronger opt in than TLS auth provides in order to
> confirm that it is an alternate for a specific origin (including especially
> the scheme). I think the concern is that if a host does indeed have a cert
> for on port 443 (deployed to serve https) but that doesn't
> mean it wants to see requests for there..

I did not wrote about this (I think), but I agree.

> fwiw I agree that 7838 allows http over TLS with auth. But if we feel there
> is a stronger way to do that with concerns that are specific to the http://
> scheme, there's nothing wrong with defining that - especially if that's
> what is implemented.

It make sense that client want see 

GET /.well-known/http-opportunistic HTTP/1.1

HTTP/1.1 200 OK
Content-Type: application/json
Connection: close

  "": {
     "lifetime": 86400

on alternative service to indicate that this port is meant for 
http:// scheme.

Otherwise valid certificate may be just for https:// scheme.


GET /.well-known/http-opportunistic HTTP/1.1

HTTP/1.1 200 OK
Content-Type: application/json
Connection: close

  "": {
     "lifetime": 86400,
     "mixed-scheme": true

is stronger case for that.

Client may require other indications
than just these what RFC 7838
"HTTP Alternative Services" says.

Mentioning that possibility on
specification makes sense.

> 1] opportunistic security should require TLS authentication. 

I have not yet strong preference here.

If TLS authentication is required, then
seems that "tls-port" can be get rid of.

Client of course can require TLS authentication

> 3] get rid of tls-commit (i.e. the latch to opp sec) as this plays very
> poorly with alt-svc.

Make sense.

I also had on my last comments some notes about that lifetime
of commitment (unclear specification)

I also noted that "tls-commit" does not require 
/.well-known/http-opportunistic on alternative service.

I agree to get rid of "tls-commit" for simplify.


So /.well-known/http-opportunistic becomes
to check that TLS port is meant for http -scheme
(and perhaps that origin and alternative service
 both gives same /.well-known/http-opportunistic ).

/ Kari Hurtta

Received on Thursday, 8 September 2016 17:17:01 UTC