Re: Eric Rescorla's No Objection on draft-ietf-httpbis-origin-frame-04: (with COMMENT) from Eric Rescorla on 2018-01-10 (ietf-http-wg@w3.org from January to March 2018)

From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 10 Jan 2018 14:56:44 -0800
To: Mark Nottingham <mnot@mnot.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-origin-frame@ietf.org, Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABcZeBONUxDNPEpt-oBPAUfz0fan2g+tKOOat_-7=CudTpoW3w@mail.gmail.com>

On Wed, Jan 10, 2018 at 2:48 PM, Mark Nottingham <mnot@mnot.net> wrote:

>
>
> > On 10 Jan 2018, at 2:20 pm, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> >
> >
> > On Tue, Jan 9, 2018 at 6:51 PM, Mark Nottingham <mnot@mnot.net> wrote:
> > Hi EKR,
> >
> >
> > On 7 Jan 2018, at 1:11 pm, Eric Rescorla <ekr@rtfm.com> wrote:
> > >   The ORIGIN HTTP/2 frame ([RFC7540], Section 4) allows a server to
> > >   indicate what origin(s) [RFC6454] the server would like the client to
> > > The citation here is to the frame format. I think you could make this
> clearer
> > > and also point the user to that section for the conventions,
> >
> > Did this comment get truncated?
> >
> > No, it's just badly written. The point here is that the citation to 7540
> section 4 isn't
> > to the ORIGIN frame but rather to the *format* of a frame. So, this text
> is confusing.
> > I would say
> >
> > This document defines a new HTTP/2 frame type ([RFC7540], Section 4)
> called
> > ORIGING, which...
>
> Done.
>
> [...]
>
> > >   Note that for a connection to be considered authoritative for a given
> > >   origin, the client is still required to obtain a certificate that
> > >   passes suitable checks; see [RFC7540] Section 9.1.1 for more
> > > "Obtain" seems confusing here. Perhaps "the server is still required to
> > > authenticate using"
> >
> > Could you please provide complete text? This section has been agonised
> over a fair amount.
> >
> > I would say:
> >
> > " A connection MUST NOT be considered authoritative for a given origin
> unless the
> > server has authenticated to the client using a certificate that would
> have been acceptable
> > for that origin; see ...."
>
> That makes it a requirement, which repeats one already in 7540. We try to
> avoid repeating requirements of other specs, since any deviation in wording
> or context can cause conflicting interpretations.
>

Well, then I'm not quite sure what you're looking for here.

-Ekr


>
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>

Received on Wednesday, 10 January 2018 22:57:51 UTC