Re: Op-sec simplification

Martin Thomson <>: (Tue Nov  1 07:54:29 2016)
> > |   | TBD2  | Scheme Required               | Section 2.1 |
> The case for this seems weak.  You have to have a resource that is
> only available on the cleartext version of the site, and you have to
> use opp-sec, and the client has to be very silly.  I would prefer to
> use 404 here.  That is, assume that the client asked for a secure
> resource ( which doesn't exist; rather
> than asking for the unsecured resource (
> which might.

TBD2 Scheme Required   

may happen when listener is for op-sec only -- it expects only
http requests over TLS and listener does not serve https requests.

Scheme is required then because it is what is
required for op-sec. 

Or that is 421 (Misdirected Request) also (as you suggested for
TBD1 Scheme Not Allowed).

/ Kari Hurtta

Received on Tuesday, 1 November 2016 17:36:16 UTC