- From: Jeffrey Yasskin <jyasskin@google.com>
- Date: Mon, 29 Jan 2018 16:56:57 +0000
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CANh-dXk4yC-JZ_icbnrEn-Swmzp0E5G0Q2a9t85iebijwgcL6Q@mail.gmail.com>
I've updated my signed-exchanges draft that was previously discussed at https://lists.w3.org/Archives/Public/ietf-http-wg/2017OctDec/0396.html. A list of significant changes is at https://tools.ietf.org/id/draft-yasskin-http-origin-signed-responses-02.html#change-log . Please look at the sections titled "Open Questions" and propose some answers. :) What kinds of changes and/or reviews do you want before adopting this as a WG draft, perhaps at IETF101? The one negative comment I've gotten is from Ekr, who wants clients to make a TLS connection to the true origin (or, via the CERTIFICATE frame, to anyone who's been issued a fake certificate) to validate the exchange. To attempt to address this, the draft now insists that the signature's "validityUrl" be same-origin with the claimed request URI, and https://tools.ietf.org/id/draft-yasskin-http-origin-signed-responses-02.html#seccons-downgrades suggests that clients can fetch that URL more eagerly than just when the signature expires. We have an implementation in progress in Chromium: https://groups.google.com/a/chromium.org/d/topic/blink-dev/n7cZXSTwBTY/discussion . Thanks, Jeffrey
Received on Monday, 29 January 2018 16:57:33 UTC