Re: Alt-Svc and HSTS
Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> Mon, 30 March 2015 06:58 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F5E31A90E3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 29 Mar 2015 23:58:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2TFrIYdi6Z3n for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 29 Mar 2015 23:58:09 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D7FA1A8ADD for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 29 Mar 2015 23:58:09 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YcTaY-0004uH-4T for ietf-http-wg-dist@listhub.w3.org; Mon, 30 Mar 2015 06:54:22 +0000
Resent-Date: Mon, 30 Mar 2015 06:54:22 +0000
Resent-Message-Id: <E1YcTaY-0004uH-4T@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <tatsuhiro.t@gmail.com>) id 1YcTaL-0004t4-CQ for ietf-http-wg@listhub.w3.org; Mon, 30 Mar 2015 06:54:09 +0000
Received: from mail-oi0-f50.google.com ([209.85.218.50]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <tatsuhiro.t@gmail.com>) id 1YcTaJ-0004XN-QU for ietf-http-wg@w3.org; Mon, 30 Mar 2015 06:54:09 +0000
Received: by oicf142 with SMTP id f142so110774799oic.3 for <ietf-http-wg@w3.org>; Sun, 29 Mar 2015 23:53:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=A+0FQIgCvuXfebbeC0ESM5uSTQk4zVCSvTkoSoQD8dc=; b=k8aXAG+iTtFUQmwhfEHkIymPBGaOqI+Zz9N0KST1/QkZaYxjaKDjd7AD5WOv9/XsCj vpkZz/2j3Z6BW/MxWENBsMqADUSRdjnJywRQUTBrJgwcBoovPir1sNSKa5aJGUo7xR1w 6AmM35PhY/x9E2LcE3Rn5PYJc1dyIj0EveTHOFl3zFs4KyW4y0eYI0gDqAqSOqAHHLYm HOGclXx6P5SKWmElo99Yl858D3XI2N4JV9PUYCagJG+AO2os3UQKyX5AB2h9KG4LZYto mRIhNer2lFYUUu1NJSkirTfEMtMJ1PDGgUX2+N/4ZjlaNwQfN6V2BVb3SgryswWmJkOt IhGw==
X-Received: by 10.60.56.39 with SMTP id x7mr25572721oep.65.1427698421443; Sun, 29 Mar 2015 23:53:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.2.17 with HTTP; Sun, 29 Mar 2015 23:53:21 -0700 (PDT)
In-Reply-To: <CAOdDvNqexud-e_tJ+J91=aAfo2S-+zBRo1eDResVtSuMGZ_Jvw@mail.gmail.com>
References: <CAPyZ6=+cNAex1fM+1Zuf7pZkYg4Y_wKeH58pnA=HZG+W5U5L1A@mail.gmail.com> <CAPyZ6=J6BXw7HhQnN4V9E63T0SKnUZkGdCHxy_0JLR1t74=guw@mail.gmail.com> <CAPyZ6=KZFa-ApdLSLQ1299P0Qydi0EK97C12Y+XWMeOFVSikHQ@mail.gmail.com> <CAPyZ6=K1n9QT8WoszbHG4s0ZvUqxbD3QxkN_KWgG1Ce0Bkzufw@mail.gmail.com> <CAPyZ6=+smQVkn_4Urtj__1uiGRKn-x8Vs0JrnKW1DhM_ZCYH9Q@mail.gmail.com> <CAOdDvNqexud-e_tJ+J91=aAfo2S-+zBRo1eDResVtSuMGZ_Jvw@mail.gmail.com>
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Mon, 30 Mar 2015 15:53:21 +0900
Message-ID: <CAPyZ6=LKeCDHCpS5T4Vxe6u1GKBrdbLS_RkT3fhZsoOygdKAvw@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11c252c841b10205127bf15f"
Received-SPF: pass client-ip=209.85.218.50; envelope-from=tatsuhiro.t@gmail.com; helo=mail-oi0-f50.google.com
X-W3C-Hub-Spam-Status: No, score=-4.5
X-W3C-Hub-Spam-Report: AWL=-1.725, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1YcTaJ-0004XN-QU 4a6570bb09b326cbda5bf5a60bc53d41
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Alt-Svc and HSTS
Archived-At: <http://www.w3.org/mid/CAPyZ6=LKeCDHCpS5T4Vxe6u1GKBrdbLS_RkT3fhZsoOygdKAvw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29065
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi, On Mon, Mar 30, 2015 at 11:23 AM, Patrick McManus <mcmanus@ducksong.com> wrote: > so I would agree that hsts and OE wouldn't be expected to be on the same > host. HSTS is used to get an always-https:// semantic and OE is used when > you are accessing an http:// url. HSTS is better simply because https:// > is better. > > Normally any http:// access would get redirected manually on a site to > https:// if the HSTS directive wasn't stored on the client yet (and the > https response would populate the directive on the client).. future http:// > accesses have their origins automatically redirected inside the client to > https.. so there really isn't a role for OE there. > > However you might want to use Alt-Svc within https for load balancing or > shedding purposes. > > ​Thanks. Our web site provides http and https endpoints for testing purpose, so it would be better to remove HSTS from https in this particular case. Best regards, Tatsuhiro Tsujikawa > -P > > On Sun, Mar 29, 2015 at 8:57 PM, Tatsuhiro Tsujikawa < > tatsuhiro.t@gmail.com> wrote: > >> Hi, >> >> I enabled HSTS for https://nghttp2.org a while back. Few days ago, I >> enabled Alt-Svc at http://nghttp2.org with h2="nghttp2.org:443". OE >> works fine with Firefox Nightly and so far so good. >> Then I got a comment[1] from twitter that "if there is HSTS, all requests >> should be https to start with, so no Alt-Svc." >> The comment is understandable when considering the effect of HSTS, but >> should Alt-Svc really be avoided in this case? If HSTS is used, we >> probably should do automatic redirect to https from http, so this scenario >> is not a real use case. >> >> [1] https://mobile.twitter.com/ericlaw/statuses/582217188062298113 >> >> Best regards, >> Tatsuhiro Tsujikawa >> > >
- Alt-Svc and HSTS Tatsuhiro Tsujikawa
- Re: Alt-Svc and HSTS Patrick McManus
- Re: Alt-Svc and HSTS Tatsuhiro Tsujikawa