Re: New Version Notification for draft-nottingham-http2-encryption-03.txt
Paul Hoffman <paul.hoffman@gmail.com> Tue, 20 May 2014 15:29 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4D5E1A071C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 20 May 2014 08:29:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.652
X-Spam-Level:
X-Spam-Status: No, score=-7.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sE-vNdn1ItZZ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 20 May 2014 08:29:05 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3028B1A008D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 20 May 2014 08:29:04 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Wmlwv-0002P4-H3 for ietf-http-wg-dist@listhub.w3.org; Tue, 20 May 2014 15:27:29 +0000
Resent-Date: Tue, 20 May 2014 15:27:29 +0000
Resent-Message-Id: <E1Wmlwv-0002P4-H3@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <paul.hoffman@gmail.com>) id 1Wmlwi-0002Ix-MX for ietf-http-wg@listhub.w3.org; Tue, 20 May 2014 15:27:16 +0000
Received: from mail-ve0-f176.google.com ([209.85.128.176]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <paul.hoffman@gmail.com>) id 1Wmlwh-0003TG-R0 for ietf-http-wg@w3.org; Tue, 20 May 2014 15:27:16 +0000
Received: by mail-ve0-f176.google.com with SMTP id jz11so801388veb.7 for <ietf-http-wg@w3.org>; Tue, 20 May 2014 08:26:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nFI/qEvRvqVh4Kf31ZKSmj2qBw7zfsdWUeYbdJZuUgE=; b=ZjRaOJX+dzO7+7CTutPV2LDhZyCCksgs4ktebrIxncuQ+dw8uSWlWT8JFpvLCyg8MK S7P1J92SMGXdiPxX4qPzUp8cv8QThaIk7af2nZcLHYCFWR7M3p/CkTD67xS4Nwj3FcQH Sf1QKt+ywQR4rAPhVtGe3vknw+w6FlWnhWp9zvRnO7h2nuYzfSjOMq4HxdxN3Kpmw6sY oirpdoySC+W1LXx/6faiElJy/xk2sPmpHn2MuUeIxVkyrcmhiKtMLEKvIulP6xCXh1Ob Qdhg6Ek2N42mKMFXpiEE9cIFvNDYlkB8mc398OFu23FZLoGrHB7c+Ps+E8EzhQeWqdVg fZRw==
MIME-Version: 1.0
X-Received: by 10.52.252.4 with SMTP id zo4mr964301vdc.74.1400599609869; Tue, 20 May 2014 08:26:49 -0700 (PDT)
Received: by 10.220.104.8 with HTTP; Tue, 20 May 2014 08:26:49 -0700 (PDT)
In-Reply-To: <5905C797-A8E2-417B-94AB-589C174382BA@mnot.net>
References: <20140520034054.10225.92036.idtracker@ietfa.amsl.com> <5905C797-A8E2-417B-94AB-589C174382BA@mnot.net>
Date: Tue, 20 May 2014 08:26:49 -0700
Message-ID: <CAPik8yb2P5RoGMLB=OtcbnpgZd-if9FpEp0HcLQcyVMtie4Yig@mail.gmail.com>
From: Paul Hoffman <paul.hoffman@gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a1133f770380de604f9d682c4"
Received-SPF: pass client-ip=209.85.128.176; envelope-from=paul.hoffman@gmail.com; helo=mail-ve0-f176.google.com
X-W3C-Hub-Spam-Status: No, score=-3.6
X-W3C-Hub-Spam-Report: AWL=-2.766, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1Wmlwh-0003TG-R0 66fbede3d494aed0295865f32eb83738
X-Original-To: ietf-http-wg@w3.org
Subject: Re: New Version Notification for draft-nottingham-http2-encryption-03.txt
Archived-At: <http://www.w3.org/mid/CAPik8yb2P5RoGMLB=OtcbnpgZd-if9FpEp0HcLQcyVMtie4Yig@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/23722
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
The new material on what might be called "alternate service pinning" has the advantages and faults of any of the security pinning protocols that the IETF makes. Please note how tortured the key pinning discussion in the websec WG has become; there is no reason why alternate service pinning will be any easier. This isn't to say that you shouldn't do it, just that you should expect it to be a protracted and sometimes circular discussion full of "but what if; so the protocol now has to". Separately, the text in Section 4 concerns me because it seems easy to mis-implement. That is, the API flag that says "this connection is/isn't running under authenticated TLS" becomes critical; it is even more important than the API flag for "this connection is/isn't running under TLS". Please consider calling this out more strongly in Section 4, and add it to the Security Considerations. Encouraging developers to have a unit test for "start a connection with unauthenticated TLS and then then try to request an https: resource and make sure that fails". --Paul Hoffman
- Fwd: New Version Notification for draft-nottingha… Mark Nottingham
- Re: New Version Notification for draft-nottingham… Martin Thomson
- Re: New Version Notification for draft-nottingham… Stephen Farrell
- Re: New Version Notification for draft-nottingham… Martin Thomson
- Re: New Version Notification for draft-nottingham… Paul Hoffman
- Re: New Version Notification for draft-nottingham… Martin Thomson
- Re: New Version Notification for draft-nottingham… Martin Nilsson
- Re: New Version Notification for draft-nottingham… Martin Nilsson
- Re: New Version Notification for draft-nottingham… Stephen Farrell
- Re: New Version Notification for draft-nottingham… Stephen Farrell
- Re: New Version Notification for draft-nottingham… William Chan (陈智昌)
- Re: New Version Notification for draft-nottingham… Salvatore Loreto
- Re: New Version Notification for draft-nottingham… Martin Nilsson
- Re: New Version Notification for draft-nottingham… William Chan (陈智昌)
- Re: New Version Notification for draft-nottingham… Martin Thomson
- Re: New Version Notification for draft-nottingham… Martin Thomson
- Re: New Version Notification for draft-nottingham… William Chan (陈智昌)
- Re: New Version Notification for draft-nottingham… Mark Nottingham
- Re: New Version Notification for draft-nottingham… Martin Thomson
- Re: Fwd: New Version Notification for draft-notti… Martin Nilsson
- Re: Fwd: New Version Notification for draft-notti… Martin Thomson