Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt from Kari Hurtta on 2016-10-05 (ietf-http-wg@w3.org from October to December 2016)

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Wed, 5 Oct 2016 19:16:32 +0300 (EEST)
To: Martin Thomson <martin.thomson@gmail.com>
CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Patrick McManus <mcmanus@ducksong.com>, Mike Bishop <Michael.Bishop@microsoft.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
Message-Id: <201610051616.u95GGWcI031833@shell.siilo.fmi.fi>

Martin Thomson <martin.thomson@gmail.com>: (Wed Oct  5 17:07:16 2016)
> On 6 October 2016 at 00:36, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote:
> >> >> "tls-ports"  should perhaps now be "mixed-scheme-listeners"
> >> >> giving [ "alternative-server:port" ].
> >
> > because should we really say that particular alternative server / port
> > combination for given origin supports http: -scheme over TLS.
> 
> I interpreted that as:
> 
>   { "http://example.com": {
>       "mixed-scheme-listeners": [ "example.net:767", "example.com:3324" ]
>     },
>     "http://other.example.com" { ... }
>   }

Yes.

> This is saying that "http://example.com" is served (in addition to the
> cleartext version) on those alternatives.

Or actually:

 If Alt-Svc -header field gives this alternative, then
 this alternative (for that origin) is safe to use
 for http: -scheme via TLS (assuming that thhis
 alternative service returns same /.well-known/http-opportunistic
 responce that origin).

〔removed 〕

> > But also for particular origin there may be several
> > alternative servers which are not equal.
> 
> Not sure that I follow: are you suggesting that the .wk resource would
> advertise the other origins, or that we need some sort of additional
> protection?

/.well-known/http-opportunistic list there origins which share
same /.well-known/http-opportunistic -file or resource.

For particular origin /.well-known/http-opportunistic list these
potential alternatice service name and port, which are safe for
http: -scheme over TLS.

This is additional protection.  SETTINGS_MIXED_SCHEME_PERMITTED
take account that all alternatice services for given origin
are not good for http: -scheme over TLS, but it does not
take account that connection is shared with several origins.

If /.well-known/http-opportunistic list only origins, then
it does not take account that all alternative services
are not hood for http: -scheme over TLS.

( I assume that alternative services are good for
  https: -scheme and they are valid certificate
  and some subset of url -path namespace is
  shared between http: and https: -scheme. 
  But /login is not good for http: -scheme.
)

/ Kari Hurtta

Received on Wednesday, 5 October 2016 16:17:11 UTC