- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 3 Jan 2017 10:26:26 +1100
- To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
- Cc: HTTP working group mailing list <ietf-http-wg@w3.org>
(Sorry about the delay, it's silly season here and I've been offline.) On 23 December 2016 at 18:58, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote: > Hmm. I need rephrase. Sorry for duplicate mail. > > Question is that well-known URI need to requested from all putative > alternatives or not?. Yes, you can not request that from clear text > connection now. Ahh, so you check alt1.example.com and find that it's OK, what about alt2.example.com? It seems unnecessary once you have authenticated a willingness to proceed. How about: """ Any authenticated strongly alternative service can provide this response. That is, as long as the http-opportunistic response is valid, any authenticated alternative service can be used for that origin. """ I understand that you might argue that there is safety in checking every alternative differently. That allows all alternatives to be configured differently. I expect that some implementations will likely check every time rather than rely on cached values. More so because - if you rely on your cache - you need special logic to avoid caching this resource from non-authenticated sources if you do that. But that's optimization territory and optimization is hazardous. To that end: """ Clients that use cached http-opportunistic responses MUST ensure that their cache is cleared of any responses that were acquired over an unauthenticated connection. Revalidating an unauthenticated response using an authenticated connection does not ensure the integrity of the response. """ See: https://github.com/httpwg/http-extensions/pull/279 I am open to arguments that require that the check is performed every time, but that's less flexible. This seems preferable.
Received on Monday, 2 January 2017 23:26:59 UTC