- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 25 Jul 2017 14:36:17 +0200
- To: Benjamin Kaduk <bkaduk@akamai.com>
- Cc: Kazuho Oku <kazuhooku@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, Subodh Iyengar <subodh@fb.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, Mike Bishop <Michael.Bishop@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Jul 25, 2017 at 07:27:02AM -0500, Benjamin Kaduk wrote: > This part I do not agree with, in particular the intermediary making the > decision to re-send the request without the early-data header. I > believe that this decision must be left in the hands of the original > client, and do not think the latency concern justifies deviating from that. In fact the client has no idea about the request's semantics nor safety, only the application server does. The client may only approximate this based on the method, the presence or not of a query string, etc... anything that anyone else in the chain has access to and that is suboptimal. That's why the 4NN generated by the server provides the best safety here : if there is a risk that the server experiences a replay, it means it has accepted the request carrying the Early-Data header, meaning it was replay-safe. Otherwise the server would only process the only one without Early-Data. Willy
Received on Tuesday, 25 July 2017 12:36:54 UTC