From 54647b3d2780563ac69a1a558e46a207f685950c Mon Sep 17 00:00:00 2001
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 3 Jan 2017 09:39:57 +1100
Subject: [PATCH] When you revalidate, make sure that you aren't revalidating
 unauthenticated gunk

---
 draft-ietf-httpbis-http2-encryption.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/draft-ietf-httpbis-http2-encryption.md b/draft-ietf-httpbis-http2-encryption.md
index a22874eb55..3ee4be2bbb 100644
--- a/draft-ietf-httpbis-http2-encryption.md
+++ b/draft-ietf-httpbis-http2-encryption.md
@@ -201,6 +201,11 @@ Any strongly authenticated alternative service can provide this response.  That
 the http-opportunistic response is valid, any authenticated alternative service can be used for
 that origin.
 
+Clients that use cached http-opportunistic responses MUST ensure that their cache is cleared of
+any responses that were acquired over an unauthenticated connection.  Revalidating an
+unauthenticated response using an authenticated connection does not ensure the integrity of the
+response.
+
 
 # IANA Considerations