- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 12 Jan 2018 09:28:37 +1100
- To: Eric Rescorla <ekr@rtfm.com>
- Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-origin-frame@ietf.org, Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>
> On 11 Jan 2018, at 9:56 am, Eric Rescorla <ekr@rtfm.com> wrote: > > > > Note that for a connection to be considered authoritative for a given > > > origin, the client is still required to obtain a certificate that > > > passes suitable checks; see [RFC7540] Section 9.1.1 for more > > > "Obtain" seems confusing here. Perhaps "the server is still required to > > > authenticate using" > > > > Could you please provide complete text? This section has been agonised over a fair amount. > > > > I would say: > > > > " A connection MUST NOT be considered authoritative for a given origin unless the > > server has authenticated to the client using a certificate that would have been acceptable > > for that origin; see ...." > > That makes it a requirement, which repeats one already in 7540. We try to avoid repeating requirements of other specs, since any deviation in wording or context can cause conflicting interpretations. > > Well, then I'm not quite sure what you're looking for here. *scratches head* I'm happy to ship the doc as-is; what are you looking for? -- Mark Nottingham https://www.mnot.net/
Received on Thursday, 11 January 2018 22:29:04 UTC