- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Thu, 30 Nov 2017 20:19:17 +0200
- To: Mike Bishop <mbishop@evequefou.be>
- Cc: Lucas Pardue <Lucas.Pardue@bbc.co.uk>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
On Thu, Nov 30, 2017 at 05:56:58PM +0000, Mike Bishop wrote: > I was already planning to spin up a thread on that draft today, so > thanks for deciding what I'm doing next today! 😉 Forking a > separate thread. > > > WG, https://tools.ietf.org/html/draft-bishop-httpbis-sni-altsvc-00 > proposes a new parameter for Alt-Svc suggesting that a client use a > different (presumably generic) hostname in the TLS SNI extension, and > instead gain Alt-Svc "reasonable assurances" by requesting the > origin's certificate via Secondary Certificates (which is currently > under Call for Adoption). It gives a solution, albeit HTTP-specific, > to SNI privacy by providing a discoverability path for which generic > hostname can be used to reach a more sensitive origin under > encryption. There's also the case where the primary connection certificate is also valid for the authority (and the primary certificate was validated). Should the secondary certificate request be suppressed in that case? E.g. the alt-svc has wilcard certificate and it wants to hide the subdomain from snoopers. -Ilari
Received on Thursday, 30 November 2017 18:19:56 UTC