Re: Eric Rescorla's No Objection on draft-ietf-httpbis-origin-frame-04: (with COMMENT)

> On 10 Jan 2018, at 2:20 pm, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Tue, Jan 9, 2018 at 6:51 PM, Mark Nottingham <mnot@mnot.net> wrote:
> Hi EKR,
> 
> 
> On 7 Jan 2018, at 1:11 pm, Eric Rescorla <ekr@rtfm.com> wrote:
> >   The ORIGIN HTTP/2 frame ([RFC7540], Section 4) allows a server to
> >   indicate what origin(s) [RFC6454] the server would like the client to
> > The citation here is to the frame format. I think you could make this clearer
> > and also point the user to that section for the conventions,
> 
> Did this comment get truncated?
> 
> No, it's just badly written. The point here is that the citation to 7540 section 4 isn't
> to the ORIGIN frame but rather to the *format* of a frame. So, this text is confusing.
> I would say
> 
> This document defines a new HTTP/2 frame type ([RFC7540], Section 4) called
> ORIGING, which...

Done.

[...]

> >   Note that for a connection to be considered authoritative for a given
> >   origin, the client is still required to obtain a certificate that
> >   passes suitable checks; see [RFC7540] Section 9.1.1 for more
> > "Obtain" seems confusing here. Perhaps "the server is still required to
> > authenticate using"
> 
> Could you please provide complete text? This section has been agonised over a fair amount.
> 
> I would say:
> 
> " A connection MUST NOT be considered authoritative for a given origin unless the
> server has authenticated to the client using a certificate that would have been acceptable
> for that origin; see ...."

That makes it a requirement, which repeats one already in 7540. We try to avoid repeating requirements of other specs, since any deviation in wording or context can cause conflicting interpretations.


--
Mark Nottingham   https://www.mnot.net/

Received on Wednesday, 10 January 2018 22:48:38 UTC