- From: Martin Thomson <mt@lowentropy.net>
- Date: Thu, 17 Jun 2021 14:40:17 +1000
- To: "Mark Nottingham" <mnot@mnot.net>, "Benjamin Kaduk" <kaduk@mit.edu>
- Cc: "The IESG" <iesg@ietf.org>, draft-ietf-httpbis-messaging@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, "Tommy Pauly" <tpauly@apple.com>
On Thu, Jun 17, 2021, at 14:19, Mark Nottingham wrote: > > on -semantics. However, I am not seeing any requirement on the server > > to ensure that the response it generates is secured. ... > I don't think that helps, at least in the case of HTTP/1.1. There, the > server is responsible for setting the correct scheme for the target URI > when a request is received; the security properties of the request and > response follow from that. Effectively, it's not under attacker control. That only establishes that it is not an attack, which might mean that the requirement is not strictly necessary. Adding a requirement might still be useful. > However, I don't see any equivalent mechanism regarding :scheme in > http/2 bis or http/3. Off the cuff, I tend to think that security > considerations about this probably belong on both of those specs. I disagree. This is a generic requirement: if the scheme is "https", the server needs to ensure that the response has appropriate integrity and confidentiality protections. I think that is all that Ben's question suggests we do.
Received on Thursday, 17 June 2021 04:41:10 UTC