Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

Martin Thomson <>: (Wed Oct  5 17:07:16 2016)
> On 6 October 2016 at 00:36, Kari Hurtta <> wrote:
> >> >> "tls-ports"  should perhaps now be "mixed-scheme-listeners"
> >> >> giving [ "alternative-server:port" ].
> >
> > because should we really say that particular alternative server / port
> > combination for given origin supports http: -scheme over TLS.
> I interpreted that as:
>   { "": {
>       "mixed-scheme-listeners": [ "", "" ]
>     },
>     "" { ... }
>   }

> This is saying that "" is served (in addition to the
> cleartext version) on those alternatives.

Or actually:

 If Alt-Svc -header field gives this alternative, then
 this alternative (for that origin) is safe to use
 for http: -scheme via TLS (assuming that thhis
 alternative service returns same /.well-known/http-opportunistic
 responce that origin).

〔removed 〕

> > But also for particular origin there may be several
> > alternative servers which are not equal.
> Not sure that I follow: are you suggesting that the .wk resource would
> advertise the other origins, or that we need some sort of additional
> protection?

/.well-known/http-opportunistic list there origins which share
same /.well-known/http-opportunistic -file or resource.

For particular origin /.well-known/http-opportunistic list these
potential alternatice service name and port, which are safe for
http: -scheme over TLS.

This is additional protection.  SETTINGS_MIXED_SCHEME_PERMITTED
take account that all alternatice services for given origin
are not good for http: -scheme over TLS, but it does not
take account that connection is shared with several origins.

If /.well-known/http-opportunistic list only origins, then
it does not take account that all alternative services
are not hood for http: -scheme over TLS.

( I assume that alternative services are good for
  https: -scheme and they are valid certificate
  and some subset of url -path namespace is
  shared between http: and https: -scheme. 
  But /login is not good for http: -scheme.

/ Kari Hurtta

Received on Wednesday, 5 October 2016 16:17:11 UTC