> If a SPDY client implemented TLSA (and I'm not aware of any that do at
> the moment) then they would have to take that into account when making
> the pooling decision. It's not a fundamental issue.
> Again, the client, if it implements these features, would need to take
> them into account. It's clearly not a fundamental problem because
> Chrome implements public-key pinning and SPDY and does what you would
> expect—it doesn't pool across pin sets.
TLSA exists on Firefox through an extension.
https://www.dnssec-validator.cz/
And this is why I consider this is not of the responsability of SPDY to do
pooling decision.
A lot of thing *outside* the SPDY client can impact the pool decision.
And so, SPDY must not pool TLS connexion if it can’t be *fully aware* of the
context, witch is impossible, and so must not pooling at all.
If you do pooling the way it currently works, you will create a new
« systemd » TLS, managing all the world of TLS on a single basecode (key
pinning, TLS client certificat, TLSA, custom OCSP responder), instead of doing
only a single simple thing (accelerate HTTP request)…
--
Aeris
Protégez votre vie privée, chiffrez vos communications