draft-ietf-httpbis-http2-secondary-certs-00, 2.3. Requiring certificate authentication from Kari Hurtta on 2018-02-17 (ietf-http-wg@w3.org from January to March 2018)

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Sat, 17 Feb 2018 20:19:27 +0200 (EET)
To: HTTP Working Group <ietf-http-wg@w3.org>
CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Mike Bishop <mbishop@evequefou.be>, Nick Sullivan <nick@cloudflare.com>, Martin Thomson <martin.thomson@gmail.com>
Message-Id: <20180217181934.8DD8E358D0@welho-filter1.welho.com>

2.3.  Requiring certificate authentication
https://tools.ietf.org/html/draft-ietf-httpbis-http2-secondary-certs-00#section-2.3


|
|
|   Client                                      Server
|      <----------------------- (stream 0) ORIGIN --
|      -- (stream 0) CERTIFICATE_REQUEST ---------->
|      ...
|      -- (stream N) CERTIFICATE_NEEDED ----------->
|      <------------------ (stream 0) CERTIFICATE --
|      <-------------- (stream N) USE_CERTIFICATE --
|      -- (stream N) GET /from-new-origin --------->
|      <----------------------- (stream N) 200 OK --
|
|
|                  Figure 5: Client-Requested Certificate


when is stream N opened ?

If Stream N state is "idle" when "CERTIFICATE_NEEDED" and
"USE_CERTIFICATE" are sent/received, I think that this need to 
allowcexplicitly.

5.1.  Stream States
https://tools.ietf.org/html/rfc7540#section-5.1


|   idle:
|      All streams start in the "idle" state.
|
|      The following transitions are valid from this state:
|
|      *  Sending or receiving a HEADERS frame causes the stream to
|         become "open".  The stream identifier is selected as described
|         in Section 5.1.1.  The same HEADERS frame can also cause a
|         stream to immediately become "half-closed".
|
|      *  Sending a PUSH_PROMISE frame on another stream reserves the
|         idle stream that is identified for later use.  The stream state
|         for the reserved stream transitions to "reserved (local)".
|
|      *  Receiving a PUSH_PROMISE frame on another stream reserves an
|         idle stream that is identified for later use.  The stream state
|         for the reserved stream transitions to "reserved (remote)".
|
|      *  Note that the PUSH_PROMISE frame is not sent on the idle stream
|         but references the newly reserved stream in the Promised Stream
|         ID field.
|
|      Receiving any frame other than HEADERS or PRIORITY on a stream in
|      this state MUST be treated as a connection error (Section 5.4.1)
|      of type PROTOCOL_ERROR.

/ Kari Hurtta

Received on Saturday, 17 February 2018 18:20:02 UTC