RE: Op-sec simplification from Mike Bishop on 2016-10-31 (ietf-http-wg@w3.org from October to December 2016)

From: Mike Bishop <Michael.Bishop@microsoft.com>
Date: Mon, 31 Oct 2016 20:00:20 +0000
To: Martin Thomson <martin.thomson@gmail.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
CC: HTTP working group mailing list <ietf-http-wg@w3.org>
Message-ID: <BN6PR03MB27084FE886DD2E6A4857A47D87AE0@BN6PR03MB2708.namprd03.prod.outlook.com>

I like the direction this is moving, yes.

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: Monday, October 31, 2016 2:58 AM
To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Cc: HTTP working group mailing list <ietf-http-wg@w3.org>
Subject: Re: Op-sec simplification

On 31 October 2016 at 16:32, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote:
> Hmm. Reading it from original and from the secured server gives little 
> more verify that they really are giving same answers.

Yes, but as I observed, we're never truly certain; there's always a pathological case where a client can be convinced of the server being right when it is in fact wrong.  Asking both sides only adds to the complexity of the solution.

> | GET http://www.example.com/.well-known/http-opportunistic HTTP/1.1
> | Host: www.example.com

Yes, thanks for pointing that out.  Fixed.

Received on Monday, 31 October 2016 20:00:55 UTC