On Fri, Oct 7, 2016 at 11:54 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:
> On 7 October 2016 at 18:45, Patrick McManus <mcmanus@ducksong.com> wrote:
> > I think either the 200 or the json are acceptable here - let's decide.
>
> Me too. I think that we all now understand the parameters and we have
> a decent chance of being able to document the hazards, so let's pick.
> Shall I get a coin?
>
>
can we consider MUST serve json, MUST verify 200, SHOULD verify json? This
recognizes that the json burden is harder on the client - the server can
just publish a fixed string.
This also recognizes that the party being protected here is the client.
(Nothing in this approach prevents an attacking MITM from just hijacking
regular plaintext h1 and proxying it to port 443 with an http scheme on the
server in the total absence of a .wk.. nothing unless the attacker is
afraid of being declared a non compliant attacker :))
-P