Re: Eric Rescorla's No Objection on draft-ietf-httpbis-origin-frame-04: (with COMMENT)

I am looking for text which is technically accurate. the current text is
not, for any sense of "obtain". What is required here is that the server
authenticate to the client with a private key that corresponds to a
certificate which passes the suitable tests. That's entirely different from
"obtain".

-Ekr


On Thu, Jan 11, 2018 at 2:28 PM, Mark Nottingham <mnot@mnot.net> wrote:

>
>
> > On 11 Jan 2018, at 9:56 am, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> > > >   Note that for a connection to be considered authoritative for a
> given
> > > >   origin, the client is still required to obtain a certificate that
> > > >   passes suitable checks; see [RFC7540] Section 9.1.1 for more
> > > > "Obtain" seems confusing here. Perhaps "the server is still required
> to
> > > > authenticate using"
> > >
> > > Could you please provide complete text? This section has been agonised
> over a fair amount.
> > >
> > > I would say:
> > >
> > > " A connection MUST NOT be considered authoritative for a given origin
> unless the
> > > server has authenticated to the client using a certificate that would
> have been acceptable
> > > for that origin; see ...."
> >
> > That makes it a requirement, which repeats one already in 7540. We try
> to avoid repeating requirements of other specs, since any deviation in
> wording or context can cause conflicting interpretations.
> >
> > Well, then I'm not quite sure what you're looking for here.
>
> *scratches head*
>
> I'm happy to ship the doc as-is; what are you looking for?
>
>
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>

Received on Thursday, 11 January 2018 22:39:29 UTC