Re: Op-sec simplification

On 1 November 2016 at 16:25, Kari Hurtta <> wrote:
> That may be good idea. (This spec requires scheme and http/1.1 spec does not
> allow scheme to be used. )

I have tried to capture this information in a PR:

> |   | TBD1  | Scheme Not Allowed            | Section 2.2 |

We can probably avoid doing that on the basis that we have 421.

> |   | TBD2  | Scheme Required               | Section 2.1 |

The case for this seems weak.  You have to have a resource that is
only available on the cleartext version of the site, and you have to
use opp-sec, and the client has to be very silly.  I would prefer to
use 404 here.  That is, assume that the client asked for a secure
resource ( which doesn't exist; rather
than asking for the unsecured resource (
which might.

Received on Tuesday, 1 November 2016 05:55:02 UTC