Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Align opp-sec and alt-svc #33
After a re-read of alt-svc and opp-sec, it may make sense to have use some better alignment between the two docs around the cases where authentication is not employed. In particular, alt-svc indicates:
Replacing "is in use" with "is used to authenticate" would align that text better with opp-sec.
On the opp-sec side:
is very unclear for a server implementer (as well as clients). If authentication doesn't succeed, should the client fail-back to clear-text (the origin) or hard fail?
One possibility (which may start getting outside of the editorial realm) is for an Alt-Svc parameter indicating that authentication will not be present (either via an unauthenticated cipher suite or a mismatching cert). This would allow clients to chose to ignore the Alt-Svc rather than following it and erroring or needing to fall-back). For example:
Yeah, I think that this did cross that line. The first suggestion is fine, and we probably need to identify what is actually used to authenticate the server identify (which is not TLS :).
The second suggestion I'd like to respond to, but won't go into detail here because the list is more appropriate (and I'm very tired right now). We have discussed this sort of signal before. Mark's original draft proposed a very similar feature in a different form.
I looked at https://github.com/httpwg/wg-materials/blob/gh-pages/ietf91/minutes.md#alt-svc; not sure what the concrete proposal here is. Just apply the first part of Eric's proposed change?