Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

Martin Thomson <> Fri, 07 October 2016 00:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BD5631294A9 for <>; Thu, 6 Oct 2016 17:43:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.017
X-Spam-Status: No, score=-10.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JFdcFJesa59p for <>; Thu, 6 Oct 2016 17:43:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 58D8612947F for <>; Thu, 6 Oct 2016 17:43:31 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1bsJCD-00021T-D8 for; Fri, 07 Oct 2016 00:39:29 +0000
Resent-Date: Fri, 07 Oct 2016 00:39:29 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1bsJC9-00020L-IN for; Fri, 07 Oct 2016 00:39:25 +0000
Received: from ([]) by with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1bsJC4-0001dj-Ns for; Fri, 07 Oct 2016 00:39:24 +0000
Received: by with SMTP id f6so15278748qtd.2 for <>; Thu, 06 Oct 2016 17:39:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=qlP7LPW1NuKcFM2VGH9KBr2iUPAFa0Cz6+15zGXHM+4=; b=FQWv+xyTviKpbykynQzfO8dBmvI9cfn7hbv0BamGBWeuY2ryQQKFuyKDuQawqn8grk oVlK2TNUzc9TuOnQl7jTabPNKZIJ0RlEj4dtnj08MYtMcs8Nj9ThZDEDmVTQoiIOMkKn g5gXkCqlSPfVuZuG/hhZWSmjW6CxmyoojwNPOAOQiRLNuJgYGO4QNpH+5Z9IisxWQulC 5gF2NBCyrlqHYh35x7CzuRGLdDuRiSNXSnKcXd3wEyWPHmOGxdev36lUAh7ElyEHPDgR xjVp+rCYB6KXSZVSh+EDeWC31PLxLAfU6Aqy5Jbb33FdSFBi7CSCAmuUFPct1McRFaJZ 01PQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=qlP7LPW1NuKcFM2VGH9KBr2iUPAFa0Cz6+15zGXHM+4=; b=YnjvuKoitNzXbv2GejgTL8Fo6SUAM1cmFBcPybCC007t28jWqm1cWl7CNbAB7f4hJH E0ommgv2BnvQb0RTc4K4ifOFSvvw6AuVKrXlL0Bx05/QXVX3elqnKTiUfURQwF8luOvU 2lMbxTEwdrHkMqztDNJBhUaoEkxSFy0DidXSpFzlEi1LDFVu1iRy+yE82MAqwkSPl05c ZtjnRucHJ5lHyZcQmSUcj56kk7j7Pt3GP/hIAzat8Oj3dpmtoqU03wE5GmT0u7YuVkAF Z6QqT55MxiSDelW1z4kfXbN0TXL5cyGRlca2xVPT7oOCUsw1OgiiDomQd8bPGoFGEt45 u2nQ==
X-Gm-Message-State: AA6/9Rk51qAkYfE1WUneCBNIClDu3D84cbrba/jnuz89v5KKpCJ9y8HrE/hP77Ih5FdXdvcApHO87gPPtIMACg==
X-Received: by with SMTP id a16mr16328658qtc.126.1475800734354; Thu, 06 Oct 2016 17:38:54 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 6 Oct 2016 17:38:53 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
From: Martin Thomson <>
Date: Fri, 07 Oct 2016 11:38:53 +1100
Message-ID: <>
To: Mike Bishop <>
Cc: Kari Hurtta <>, Patrick McManus <>, HTTP working group mailing list <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-6.4
X-W3C-Hub-Spam-Report: AWL=0.332, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1bsJC4-0001dj-Ns c3c512f12e819c5dc847dc5e8b8c22d7
Subject: Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Archived-At: <>
X-Mailing-List: <> archive/latest/32508
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 7 October 2016 at 05:12, Mike Bishop <> wrote:
> Okay, so we are basically trying to backfill a possible administrative mistake by verifying that the server processes scheme as part of origin.  So an administrator MUST BUT WE KNOW YOU WON'T only put this resource in place if their server is properly configured to handle a scheme inconsistent with the port.  After they already have to opt in by sending the Alt-Svc header on the origin in the first place.  I'm lacking confidence that this check actually assures anything except that the administrator wants it to work, and we already know that from the Alt-Svc header.

There's one very important difference: the .well-known response is
authenticated.  An attacker can forge an Alt-Svc header.

And in any case, if the administrator lies, they are at least taking
responsibility for the error, that's important too.

The MUST NOT exist for the https:// variant is a neat trick, and it
would increase confidence, but I don't think that it proves anything
other than the fact that THAT specific resource is handled correctly
(as you know, much of this can hinge not on the generic code in the
server, but on code specific to a resource).