Return-Path: X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F5E31A90E3 for ; Sun, 29 Mar 2015 23:58:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.011 X-Spam-Level: X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2TFrIYdi6Z3n for ; Sun, 29 Mar 2015 23:58:09 -0700 (PDT) Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D7FA1A8ADD for ; Sun, 29 Mar 2015 23:58:09 -0700 (PDT) Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from ) id 1YcTaY-0004uH-4T for ietf-http-wg-dist@listhub.w3.org; Mon, 30 Mar 2015 06:54:22 +0000 Resent-Date: Mon, 30 Mar 2015 06:54:22 +0000 Resent-Message-Id: Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from ) id 1YcTaL-0004t4-CQ for ietf-http-wg@listhub.w3.org; Mon, 30 Mar 2015 06:54:09 +0000 Received: from mail-oi0-f50.google.com ([209.85.218.50]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from ) id 1YcTaJ-0004XN-QU for ietf-http-wg@w3.org; Mon, 30 Mar 2015 06:54:09 +0000 Received: by oicf142 with SMTP id f142so110774799oic.3 for ; Sun, 29 Mar 2015 23:53:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=A+0FQIgCvuXfebbeC0ESM5uSTQk4zVCSvTkoSoQD8dc=; b=k8aXAG+iTtFUQmwhfEHkIymPBGaOqI+Zz9N0KST1/QkZaYxjaKDjd7AD5WOv9/XsCj vpkZz/2j3Z6BW/MxWENBsMqADUSRdjnJywRQUTBrJgwcBoovPir1sNSKa5aJGUo7xR1w 6AmM35PhY/x9E2LcE3Rn5PYJc1dyIj0EveTHOFl3zFs4KyW4y0eYI0gDqAqSOqAHHLYm HOGclXx6P5SKWmElo99Yl858D3XI2N4JV9PUYCagJG+AO2os3UQKyX5AB2h9KG4LZYto mRIhNer2lFYUUu1NJSkirTfEMtMJ1PDGgUX2+N/4ZjlaNwQfN6V2BVb3SgryswWmJkOt IhGw== X-Received: by 10.60.56.39 with SMTP id x7mr25572721oep.65.1427698421443; Sun, 29 Mar 2015 23:53:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.202.2.17 with HTTP; Sun, 29 Mar 2015 23:53:21 -0700 (PDT) In-Reply-To: References: From: Tatsuhiro Tsujikawa Date: Mon, 30 Mar 2015 15:53:21 +0900 Message-ID: To: Patrick McManus Cc: HTTP Working Group Content-Type: multipart/alternative; boundary=001a11c252c841b10205127bf15f Received-SPF: pass client-ip=209.85.218.50; envelope-from=tatsuhiro.t@gmail.com; helo=mail-oi0-f50.google.com X-W3C-Hub-Spam-Status: No, score=-4.5 X-W3C-Hub-Spam-Report: AWL=-1.725, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1 X-W3C-Scan-Sig: maggie.w3.org 1YcTaJ-0004XN-QU 4a6570bb09b326cbda5bf5a60bc53d41 X-Original-To: ietf-http-wg@w3.org Subject: Re: Alt-Svc and HSTS Archived-At: Resent-From: ietf-http-wg@w3.org X-Mailing-List: archive/latest/29065 X-Loop: ietf-http-wg@w3.org Resent-Sender: ietf-http-wg-request@w3.org Precedence: list List-Id: List-Help: List-Post: List-Unsubscribe: --001a11c252c841b10205127bf15f Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, On Mon, Mar 30, 2015 at 11:23 AM, Patrick McManus wrote: > so I would agree that hsts and OE wouldn't be expected to be on the same > host. HSTS is used to get an always-https:// semantic and OE is used when > you are accessing an http:// url. HSTS is better simply because https:// > is better. > > Normally any http:// access would get redirected manually on a site to > https:// if the HSTS directive wasn't stored on the client yet (and the > https response would populate the directive on the client).. future http:= // > accesses have their origins automatically redirected inside the client to > https.. so there really isn't a role for OE there. > > However you might want to use Alt-Svc within https for load balancing or > shedding purposes. > > =E2=80=8BThanks. Our web site provides http and https endpoints for testin= g purpose, so it would be better to remove HSTS from https in this particular case. Best regards, Tatsuhiro Tsujikawa > -P > > On Sun, Mar 29, 2015 at 8:57 PM, Tatsuhiro Tsujikawa < > tatsuhiro.t@gmail.com> wrote: > >> Hi, >> >> I enabled HSTS for https://nghttp2.org a while back. Few days ago, I >> enabled Alt-Svc at http://nghttp2.org with h2=3D"nghttp2.org:443". OE >> works fine with Firefox Nightly and so far so good. >> Then I got a comment[1] from twitter that "if there is HSTS, all request= s >> should be https to start with, so no Alt-Svc." >> The comment is understandable when considering the effect of HSTS, but >> should Alt-Svc really be avoided in this case? If HSTS is used, we >> probably should do automatic redirect to https from http, so this scenar= io >> is not a real use case. >> >> [1] https://mobile.twitter.com/ericlaw/statuses/582217188062298113 >> >> Best regards, >> Tatsuhiro Tsujikawa >> > > --001a11c252c841b10205127bf15f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,
On Mon, Mar 30, 2015 at 11:23 AM, Patrick McMan= us <mcmanus@ducksong.com> wrote:
so I would agree that hsts and OE wouldn= 9;t be expected to be on the same host. HSTS is used to get an always-https= :// semantic and OE is used when you are accessing an http:// url. HSTS is = better simply because https:// is better.

Normally any ht= tp:// access would get redirected manually on a site to https:// if the HST= S directive wasn't stored on the client yet (and the https response wou= ld populate the directive on the client).. future http:// accesses have the= ir origins automatically redirected inside the client to https.. so there r= eally isn't a role for OE there.

However you might wa= nt to use Alt-Svc within https for load balancing or shedding purposes.

<= /blockquote>

=E2=80=8BThanks.=C2=A0 O= ur web site provides http and https endpoints for testing purpose, so it wo= uld be better to remove HSTS from https in this particular case.

Best regards,
Tatsuhiro Tsujikawa

=C2=A0
-P

O= n Sun, Mar 29, 2015 at 8:57 PM, Tatsuhiro Tsujikawa <<= a href=3D"mailto:tatsuhiro.t@gmail.com" target=3D"_blank">tatsuhiro.t@gmail= .com> wrote:

Hi,

I enabled HSTS for https://nghttp2.org a while back.=C2=A0 Few days ago, I enable= d Alt-Svc at http://nghttp= 2.org with h2=3D"nghttp2.org:443". OE works fine with Firefox Nightly and so fa= r so good.
Then I got a comment[1] from twitter that "if there is HSTS, all reque= sts should be https to start with, so no Alt-Svc."
The comment is understandable when considering the effect of HSTS, but shou= ld Alt-Svc really be avoided in this case?=C2=A0 If HSTS is used, we probab= ly should do automatic redirect to https from http, so this scenario is not= a real use case.

[1] https://mobile.twitter.com/ericlaw/sta= tuses/582217188062298113

Best regards,
Tatsuhiro Tsujikawa



--001a11c252c841b10205127bf15f--