- From: Jaikiran Pai <jai.forums2013@gmail.com>
- Date: Mon, 13 Feb 2023 14:58:03 +0530
- To: ietf-http-wg@w3.org
Hello HTTP working group team, I was going through the "HTTP Alternate Services" RFC 7838 https://www.rfc-editor.org/rfc/rfc7838. Section 2.1 specifies the expectations for host authentication and how clients can establish reasonable assurance that the advertised alternate service should be used. Very specifically, the RFC states: "Clients MUST have reasonable assurances that the alternative service is under control of and valid for the whole origin. .... For the purposes of this document, "reasonable assurances" can be established through use of a TLS-based protocol with the certificate checks defined in [RFC2818]. Clients MAY impose additional criteria for establishing reasonable assurances. For example, if the origin's host is "www.example.com" and an alternative is offered on "other.example.com" with the "h2" protocol, and the certificate offered is valid for "www.example.com", the client can use the alternative." Here, the RFC expects that the certificate offered by the origin (in this case "www.example.com") is valid for the origin (www.example.com). Right? Or is the RFC expecting that the certificate offered by the alternative service (at "other.example.com") is (also) valid for the origin (www.example.com), perhaps through the use of "Subject Alternative Name" in the certificate offered by "other.example.com"? -Jaikiran
Received on Monday, 13 February 2023 13:34:23 UTC