I sent yesterday comment about draft-ietf-httpbis-alt-svc-12.txt to ietf-http-wg@xxxxxx and authors. Just before annoucement. Seems that this is now correct place. So I resend it. This is combination of two messages. =============================================================== https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-12#section-2.1 | 2.1. Host Authentication | | | Clients MUST have reasonable assurances that the alternative service | is under control of and valid for the whole origin. I have impression that on absence of other protocol, this is mean to forbid use plain HTTP/2 (ie "h2c"), because there is no "reasonable assurance". But is reader understanding that? There is examples which use "h2c". This does not give that | However, if "other.example.com" is | offered with the "h2c" protocol, the client cannot use it, because | there is no mechanism in that protocol to establish the relationship | between the origin and the alternative. Reader may think that there is "reasonable assurance" when hostname is same. There is https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-12#section-9.1 | 9.1. Changing Ports | | | Using an alternative service implies accessing an origin's resources | on an alternative port, at a minimum. An attacker that can inject | alternative services and listen at the advertised port is therefore | able to hijack an origin. On certain servers, it is normal for users | to be able to control some personal pages available on a shared port, | and also to accept to requests on less-privileged ports. But that part is confusing: | This risk is mitigated by the requirements in Section 2.1. When requirement is "reasonable assurance" I think that reader is confused. "h2c" examples are https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-12#section-3 | The Alt-Svc field value can have multiple values: | | Alt-Svc: h2c=":8000", h2=":443" https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-12#section-3.1 | HTTP/1.1 200 OK | Content-Type: text/html | Cache-Control: max-age=600 | Age: 30 | Alt-Svc: h2c=":8000"; ma=60 So my question is: Can reader understand this without reading https://lists.w3.org/Archives/Public/ietf-http-wg/ ? ( Or without reading that other protocol RFC which gives reasonable assurance. ) ( another post: ) ================================================= One possible suggestion: https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-12#section-2.1 | However, if "other.example.com" is | offered with the "h2c" protocol, the client cannot use it, because | there is no mechanism in that protocol to establish the relationship | between the origin and the alternative. => | However, if "other.example.com" | (or "www.example.com" on another port) is offered with the "h2c" protocol, | the client cannot use it, because there is no mechanism in that protocol | to establish the relationship between the origin and the alternative. I think that this addition gives enough hint about that. And probably drop "h2c" examples or add note (to near of examples): | "h2c" protocol on example assumes that "reasonable assurance" (Section 2.1) | is established elsewhere. Or something like that. / Kari Hurtta