Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

Stefan Eissing <stefan.eissing@greenbytes.de> Fri, 07 October 2016 07:28 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8DBA129539 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 7 Oct 2016 00:28:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.807
X-Spam-Level:
X-Spam-Status: No, score=-9.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=greenbytes.de header.b=MlZykjCe; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=greenbytes.de header.b=MlZykjCe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eJZHBFcyFE8c for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 7 Oct 2016 00:28:57 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E317129515 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 7 Oct 2016 00:28:57 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bsPWd-0005QF-CW for ietf-http-wg-dist@listhub.w3.org; Fri, 07 Oct 2016 07:24:59 +0000
Resent-Date: Fri, 07 Oct 2016 07:24:59 +0000
Resent-Message-Id: <E1bsPWd-0005QF-CW@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <stefan.eissing@greenbytes.de>) id 1bsPWb-0005PV-HU for ietf-http-wg@listhub.w3.org; Fri, 07 Oct 2016 07:24:57 +0000
Received: from mail.greenbytes.de ([5.10.171.186]) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <stefan.eissing@greenbytes.de>) id 1bsPWZ-0000Li-J2 for ietf-http-wg@w3.org; Fri, 07 Oct 2016 07:24:56 +0000
Received: by mail.greenbytes.de (Postfix, from userid 117) id C819915A0571; Fri, 7 Oct 2016 09:24:27 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=greenbytes.de; s=mail; t=1475825067; bh=YiQ6oSDAjcrnIc2WCVE24QkSox4EQBpebfhxUY9mg2Q=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=MlZykjCeNaUVfqCrc3kK3nNPGHT1CsnEigInC2nA0QzkDxTWAaHOim6wFXOxRHSQf 61chP5TqTX66zqubrzvetfO3iyTgJqcJ+7lXmdpFFgfXDpDrXLP6tScRIMqURhcQSg xq334oubPs4V8AGTgI2LLLAlu4e5HVDYv9+z2orA=
Received: from [192.168.1.48] (unknown [87.78.28.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id D1CE315A0571; Fri, 7 Oct 2016 09:24:26 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=greenbytes.de; s=mail; t=1475825067; bh=YiQ6oSDAjcrnIc2WCVE24QkSox4EQBpebfhxUY9mg2Q=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=MlZykjCeNaUVfqCrc3kK3nNPGHT1CsnEigInC2nA0QzkDxTWAaHOim6wFXOxRHSQf 61chP5TqTX66zqubrzvetfO3iyTgJqcJ+7lXmdpFFgfXDpDrXLP6tScRIMqURhcQSg xq334oubPs4V8AGTgI2LLLAlu4e5HVDYv9+z2orA=
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
From: Stefan Eissing <stefan.eissing@greenbytes.de>
In-Reply-To: <BN6PR03MB27081C5CF95FB443BB4C155B87C70@BN6PR03MB2708.namprd03.prod.outlook.com>
Date: Fri, 7 Oct 2016 09:24:26 +0200
Cc: Martin Thomson <martin.thomson@gmail.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>, McManus Patrick <mcmanus@ducksong.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <01830E0E-37BD-4144-981E-99E82D7CDEE5@greenbytes.de>
References: <20161004160321.DFB4C111E5@welho-filter1.welho.com> <BN6PR03MB27082C2CF4DC3F8F82354FDE87C50@BN6PR03MB2708.namprd03.prod.outlook.com> <201610050451.u954pomK003643@shell.siilo.fmi.fi> <CAOdDvNpRN_trGi23BpqUxmaLoLvom9+Yiew0GkNkhgwvqw4Bew@mail.gmail.com> <CABkgnnVKeqnyqhgL=jx1WqtcByqHes25XDJ684J+rNwvQt+znQ@mail.gmail.com> <201610051336.u95DaAW2020152@shell.siilo.fmi.fi> <CABkgnnVaBVE8mUxuGXYe-WeM_OkiNHcA=egnb1-nOxtdujShfw@mail.gmail.com> <201610051616.u95GGWcI031833@shell.siilo.fmi.fi> <BN6PR03MB2708B42C6964AA22AF8FFDC487C40@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnVJ7VRBH4VeGODkSUXdW9XHs8AjB_M0mm8Kt=nv3djvEg@mail.gmail.com> <BN6PR03MB27081C5CF95FB443BB4C155B87C70@BN6PR03MB2708.namprd03.prod.outlook.com>
To: Mike Bishop <Michael.Bishop@microsoft.com>
X-Mailer: Apple Mail (2.3226)
Received-SPF: pass client-ip=5.10.171.186; envelope-from=stefan.eissing@greenbytes.de; helo=mail.greenbytes.de
X-W3C-Hub-Spam-Status: No, score=-6.5
X-W3C-Hub-Spam-Report: AWL=0.220, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-2.676, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bsPWZ-0000Li-J2 5b328186f75367a64a46bb9ef8f7720b
X-Original-To: ietf-http-wg@w3.org
Subject: Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Archived-At: <http://www.w3.org/mid/01830E0E-37BD-4144-981E-99E82D7CDEE5@greenbytes.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32513
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> Am 06.10.2016 um 20:12 schrieb Mike Bishop <Michael.Bishop@microsoft.com>om>:
> 
> """
> Before using a secure alternative for an http:// origin, a client MUST first request /.well-known/http-opportunistic at that origin.  If this resource exists and a not-stale 2xx response is obtained, then requests for the origin MAY be directed toward the secure alternative.
> The contents of this resource do not matter.  If multiple http:// origins are coalesced onto the same connection to a secure alternative, a client MUST obtain an http-opportunistic resource from each origin separately.
> """

+1

I like this because it avoids the hop-by-hop problem of a SETTING where it is the origin server's responsibility to get it right. And, as Martin noted, Alt-Svc headers are a possible angle of attack if clients have no other means to verify the server capability.

-Stefan