Looking for clarification on reasonable assurance section of RFC 7838

Hello HTTP working group team,

I was going through  the "HTTP Alternate Services" RFC 7838 
https://www.rfc-editor.org/rfc/rfc7838. Section 2.1 specifies the 
expectations for host authentication and how clients can establish 
reasonable assurance that the advertised alternate service should be 
used. Very specifically, the RFC states:

"Clients MUST have reasonable assurances that the alternative service is 
under control of and valid for the whole origin.

For the purposes of this document, "reasonable assurances" can be 
established through use of a TLS-based protocol with the certificate 
checks defined in [RFC2818]. Clients MAY impose additional criteria for 
establishing reasonable assurances.

For example, if the origin's host is "www.example.com" and an 
alternative is offered on "other.example.com" with the "h2" protocol, 
and the certificate offered is valid for "www.example.com", the client 
can use the alternative."

Here, the RFC expects that the certificate offered by the origin (in 
this case "www.example.com") is valid for the origin (www.example.com). 

Or is the RFC expecting that the certificate offered by the alternative 
service (at "other.example.com") is (also) valid for the origin 
(www.example.com), perhaps through the use of "Subject Alternative Name" 
in the certificate offered by "other.example.com"?


Received on Monday, 13 February 2023 13:34:23 UTC