issues.json

[
  {
    "url": "https://api.github.com/repos/http2/http2-spec/issues/506",
    "labels_url": "https://api.github.com/repos/http2/http2-spec/issues/506/labels{/name}",
    "comments_url": "https://api.github.com/repos/http2/http2-spec/issues/506/comments",
    "events_url": "https://api.github.com/repos/http2/http2-spec/issues/506/events",
    "html_url": "https://github.com/http2/http2-spec/issues/506",
    "id": 35140839,
    "number": 506,
    "title": "Consider making PRIORITY scheme an extension.",
    "user": {
      "login": "jpinner",
      "id": 850440,
      "avatar_url": "https://avatars.githubusercontent.com/u/850440?",
      "gravatar_id": "804ebb3c4f539f15f84b75383e016842",
      "url": "https://api.github.com/users/jpinner",
      "html_url": "https://github.com/jpinner",
      "followers_url": "https://api.github.com/users/jpinner/followers",
      "following_url": "https://api.github.com/users/jpinner/following{/other_user}",
      "gists_url": "https://api.github.com/users/jpinner/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/jpinner/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/jpinner/subscriptions",
      "organizations_url": "https://api.github.com/users/jpinner/orgs",
      "repos_url": "https://api.github.com/users/jpinner/repos",
      "events_url": "https://api.github.com/users/jpinner/events{/privacy}",
      "received_events_url": "https://api.github.com/users/jpinner/received_events",
      "type": "User",
      "site_admin": false
    },
    "labels": [
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/design",
        "name": "design",
        "color": "02d7e1"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/editor-ready",
        "name": "editor-ready",
        "color": "0b02e1"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/prioritisation",
        "name": "prioritisation",
        "color": "fbca04"
      }
    ],
    "state": "open",
    "assignee": null,
    "milestone": null,
    "comments": 1,
    "created_at": "2014-06-06T12:20:32Z",
    "updated_at": "2014-06-06T14:39:36Z",
    "closed_at": null,
    "body": "It is advisory only, hop-by-hop, and there is little implementation experience."
  },
  {
    "url": "https://api.github.com/repos/http2/http2-spec/issues/498",
    "labels_url": "https://api.github.com/repos/http2/http2-spec/issues/498/labels{/name}",
    "comments_url": "https://api.github.com/repos/http2/http2-spec/issues/498/comments",
    "events_url": "https://api.github.com/repos/http2/http2-spec/issues/498/events",
    "html_url": "https://github.com/http2/http2-spec/issues/498",
    "id": 35087029,
    "number": 498,
    "title": "Mandatory implement key exchange/cipher suite",
    "user": {
      "login": "martinthomson",
      "id": 67641,
      "avatar_url": "https://avatars.githubusercontent.com/u/67641?",
      "gravatar_id": "3fa6569f8aa70b9a0a7df4ad7bebc0df",
      "url": "https://api.github.com/users/martinthomson",
      "html_url": "https://github.com/martinthomson",
      "followers_url": "https://api.github.com/users/martinthomson/followers",
      "following_url": "https://api.github.com/users/martinthomson/following{/other_user}",
      "gists_url": "https://api.github.com/users/martinthomson/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/martinthomson/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/martinthomson/subscriptions",
      "organizations_url": "https://api.github.com/users/martinthomson/orgs",
      "repos_url": "https://api.github.com/users/martinthomson/repos",
      "events_url": "https://api.github.com/users/martinthomson/events{/privacy}",
      "received_events_url": "https://api.github.com/users/martinthomson/received_events",
      "type": "User",
      "site_admin": false
    },
    "labels": [
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/design",
        "name": "design",
        "color": "02d7e1"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/security",
        "name": "security",
        "color": "fbca04"
      }
    ],
    "state": "open",
    "assignee": null,
    "milestone": null,
    "comments": 4,
    "created_at": "2014-06-05T19:05:01Z",
    "updated_at": "2014-06-06T18:17:23Z",
    "closed_at": null,
    "body": "It has been noted that there is an opportunity for interoperability failure with the rules we have regarding ephemeral key exchange.\r\n\r\ne.g., client has only DHE, server has only ECDHE, can't use HTTP/2\r\n\r\nDo we want to specify a mandatory to implement cipher suite so that we can avoid this?"
  },
  {
    "url": "https://api.github.com/repos/http2/http2-spec/issues/496",
    "labels_url": "https://api.github.com/repos/http2/http2-spec/issues/496/labels{/name}",
    "comments_url": "https://api.github.com/repos/http2/http2-spec/issues/496/comments",
    "events_url": "https://api.github.com/repos/http2/http2-spec/issues/496/events",
    "html_url": "https://github.com/http2/http2-spec/issues/496",
    "id": 35079537,
    "number": 496,
    "title": "Fallback to HTTP/1.1?",
    "user": {
      "login": "MikeBishop",
      "id": 4273797,
      "avatar_url": "https://avatars.githubusercontent.com/u/4273797?",
      "gravatar_id": "132a0b739eec3ff94613b13b4d27411d",
      "url": "https://api.github.com/users/MikeBishop",
      "html_url": "https://github.com/MikeBishop",
      "followers_url": "https://api.github.com/users/MikeBishop/followers",
      "following_url": "https://api.github.com/users/MikeBishop/following{/other_user}",
      "gists_url": "https://api.github.com/users/MikeBishop/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/MikeBishop/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/MikeBishop/subscriptions",
      "organizations_url": "https://api.github.com/users/MikeBishop/orgs",
      "repos_url": "https://api.github.com/users/MikeBishop/repos",
      "events_url": "https://api.github.com/users/MikeBishop/events{/privacy}",
      "received_events_url": "https://api.github.com/users/MikeBishop/received_events",
      "type": "User",
      "site_admin": false
    },
    "labels": [
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/design",
        "name": "design",
        "color": "02d7e1"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/upgrade",
        "name": "upgrade",
        "color": "fbca04"
      }
    ],
    "state": "open",
    "assignee": {
      "login": "mnot",
      "id": 74384,
      "avatar_url": "https://avatars.githubusercontent.com/u/74384?",
      "gravatar_id": "38f92fdb9ac1b5213d40c595b14ec620",
      "url": "https://api.github.com/users/mnot",
      "html_url": "https://github.com/mnot",
      "followers_url": "https://api.github.com/users/mnot/followers",
      "following_url": "https://api.github.com/users/mnot/following{/other_user}",
      "gists_url": "https://api.github.com/users/mnot/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/mnot/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/mnot/subscriptions",
      "organizations_url": "https://api.github.com/users/mnot/orgs",
      "repos_url": "https://api.github.com/users/mnot/repos",
      "events_url": "https://api.github.com/users/mnot/events{/privacy}",
      "received_events_url": "https://api.github.com/users/mnot/received_events",
      "type": "User",
      "site_admin": false
    },
    "milestone": null,
    "comments": 3,
    "created_at": "2014-06-05T17:35:59Z",
    "updated_at": "2014-06-07T01:35:26Z",
    "closed_at": null,
    "body": "There have been a number of discussions about scenarios where we may want the client to fall back to 1.1 (a server forcing gzip, APIs incompatible with HPACK, etc.).  HTTP/1.1 defines status code 505 as indicating that the server \"refuses to support the major version of HTTP that was used in the request message [and] is unable or unwilling to complete the request using the same major version as the client [...] other than with this error message.\"\r\n\r\nHowever, that doesn't define a programmatic way to tell the user agent what version to retry with, simply a representation to be shown to the user.  We should define a way to inform the client what HTTP version to retry with (presumably 1.1)."
  },
  {
    "url": "https://api.github.com/repos/http2/http2-spec/issues/492",
    "labels_url": "https://api.github.com/repos/http2/http2-spec/issues/492/labels{/name}",
    "comments_url": "https://api.github.com/repos/http2/http2-spec/issues/492/comments",
    "events_url": "https://api.github.com/repos/http2/http2-spec/issues/492/events",
    "html_url": "https://github.com/http2/http2-spec/issues/492",
    "id": 34974059,
    "number": 492,
    "title": "Alt-Svc header host restriction",
    "user": {
      "login": "mnot",
      "id": 74384,
      "avatar_url": "https://avatars.githubusercontent.com/u/74384?",
      "gravatar_id": "38f92fdb9ac1b5213d40c595b14ec620",
      "url": "https://api.github.com/users/mnot",
      "html_url": "https://github.com/mnot",
      "followers_url": "https://api.github.com/users/mnot/followers",
      "following_url": "https://api.github.com/users/mnot/following{/other_user}",
      "gists_url": "https://api.github.com/users/mnot/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/mnot/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/mnot/subscriptions",
      "organizations_url": "https://api.github.com/users/mnot/orgs",
      "repos_url": "https://api.github.com/users/mnot/repos",
      "events_url": "https://api.github.com/users/mnot/events{/privacy}",
      "received_events_url": "https://api.github.com/users/mnot/received_events",
      "type": "User",
      "site_admin": false
    },
    "labels": [
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/alt-svc",
        "name": "alt-svc",
        "color": "fbca04"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/design",
        "name": "design",
        "color": "02d7e1"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/editor-ready",
        "name": "editor-ready",
        "color": "0b02e1"
      }
    ],
    "state": "open",
    "assignee": null,
    "milestone": null,
    "comments": 1,
    "created_at": "2014-06-04T16:11:12Z",
    "updated_at": "2014-06-05T19:42:30Z",
    "closed_at": null,
    "body": "When we were originally working on Alt-Svc, Patrick and I put a restriction on the Alt-Svc header field so that it couldn’t redirect clients to a different host.\r\n\r\nSince then, several people have pointed out that the requirement to have strong server authentication, as well as cache flushing, seems to contain the risk associated with doing this, and that the facility could be quite useful.\r\n\r\nSo, I’m suggesting we (re-) add the capability to the header."
  },
  {
    "url": "https://api.github.com/repos/http2/http2-spec/issues/490",
    "labels_url": "https://api.github.com/repos/http2/http2-spec/issues/490/labels{/name}",
    "comments_url": "https://api.github.com/repos/http2/http2-spec/issues/490/comments",
    "events_url": "https://api.github.com/repos/http2/http2-spec/issues/490/events",
    "html_url": "https://github.com/http2/http2-spec/issues/490",
    "id": 34820998,
    "number": 490,
    "title": "Permit/Forbid Coalescing",
    "user": {
      "login": "martinthomson",
      "id": 67641,
      "avatar_url": "https://avatars.githubusercontent.com/u/67641?",
      "gravatar_id": "3fa6569f8aa70b9a0a7df4ad7bebc0df",
      "url": "https://api.github.com/users/martinthomson",
      "html_url": "https://github.com/martinthomson",
      "followers_url": "https://api.github.com/users/martinthomson/followers",
      "following_url": "https://api.github.com/users/martinthomson/following{/other_user}",
      "gists_url": "https://api.github.com/users/martinthomson/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/martinthomson/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/martinthomson/subscriptions",
      "organizations_url": "https://api.github.com/users/martinthomson/orgs",
      "repos_url": "https://api.github.com/users/martinthomson/repos",
      "events_url": "https://api.github.com/users/martinthomson/events{/privacy}",
      "received_events_url": "https://api.github.com/users/martinthomson/received_events",
      "type": "User",
      "site_admin": false
    },
    "labels": [
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/design",
        "name": "design",
        "color": "02d7e1"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/editor-ready",
        "name": "editor-ready",
        "color": "0b02e1"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/security",
        "name": "security",
        "color": "fbca04"
      }
    ],
    "state": "open",
    "assignee": null,
    "milestone": null,
    "comments": 3,
    "created_at": "2014-06-02T23:44:16Z",
    "updated_at": "2014-06-06T15:24:03Z",
    "closed_at": null,
    "body": "Several of the comments in #363 note that a lot of the issues we have with renegotiation are as a result of a coalescing feature.\r\n\r\nThis is the not-fully-formally-accepted feature where a client can use an existing connection to a server for different origins.\r\n\r\nTo recap, coalescing occurs when a client discovers that they have an existing connection to the same IP and port that a URL resolves to.  AND the existing connection has a valid certificate for the name that is being sought.\r\n\r\nRob notes the prohibition in [Section 3 of RFC 6066](http://tools.ietf.org/html/rfc6066#page-8) where it states:\r\n```\r\nIf the server_name is established in the TLS session handshake, the client SHOULD NOT attempt to request a different server name at the application layer.\r\n```"
  },
  {
    "url": "https://api.github.com/repos/http2/http2-spec/issues/477",
    "labels_url": "https://api.github.com/repos/http2/http2-spec/issues/477/labels{/name}",
    "comments_url": "https://api.github.com/repos/http2/http2-spec/issues/477/comments",
    "events_url": "https://api.github.com/repos/http2/http2-spec/issues/477/events",
    "html_url": "https://github.com/http2/http2-spec/issues/477",
    "id": 33002715,
    "number": 477,
    "title": "Clarify text around cipher strengths",
    "user": {
      "login": "martinthomson",
      "id": 67641,
      "avatar_url": "https://avatars.githubusercontent.com/u/67641?",
      "gravatar_id": "3fa6569f8aa70b9a0a7df4ad7bebc0df",
      "url": "https://api.github.com/users/martinthomson",
      "html_url": "https://github.com/martinthomson",
      "followers_url": "https://api.github.com/users/martinthomson/followers",
      "following_url": "https://api.github.com/users/martinthomson/following{/other_user}",
      "gists_url": "https://api.github.com/users/martinthomson/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/martinthomson/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/martinthomson/subscriptions",
      "organizations_url": "https://api.github.com/users/martinthomson/orgs",
      "repos_url": "https://api.github.com/users/martinthomson/repos",
      "events_url": "https://api.github.com/users/martinthomson/events{/privacy}",
      "received_events_url": "https://api.github.com/users/martinthomson/received_events",
      "type": "User",
      "site_admin": false
    },
    "labels": [
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/editorial",
        "name": "editorial",
        "color": "02e10c"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/security",
        "name": "security",
        "color": "fbca04"
      }
    ],
    "state": "open",
    "assignee": null,
    "milestone": null,
    "comments": 1,
    "created_at": "2014-05-07T16:42:37Z",
    "updated_at": "2014-06-05T20:44:49Z",
    "closed_at": null,
    "body": "This isn't necessarily clear enough, particularly the bit about \"128 bit security level\", which is intended to encompass P256, but also 25519, which isn't quite 256 bits.  More clarification is probably needed."
  },
  {
    "url": "https://api.github.com/repos/http2/http2-spec/issues/474",
    "labels_url": "https://api.github.com/repos/http2/http2-spec/issues/474/labels{/name}",
    "comments_url": "https://api.github.com/repos/http2/http2-spec/issues/474/comments",
    "events_url": "https://api.github.com/repos/http2/http2-spec/issues/474/events",
    "html_url": "https://github.com/http2/http2-spec/pull/474",
    "id": 32648448,
    "number": 474,
    "title": "Changing the way that altsvc use is indicated",
    "user": {
      "login": "martinthomson",
      "id": 67641,
      "avatar_url": "https://avatars.githubusercontent.com/u/67641?",
      "gravatar_id": "3fa6569f8aa70b9a0a7df4ad7bebc0df",
      "url": "https://api.github.com/users/martinthomson",
      "html_url": "https://github.com/martinthomson",
      "followers_url": "https://api.github.com/users/martinthomson/followers",
      "following_url": "https://api.github.com/users/martinthomson/following{/other_user}",
      "gists_url": "https://api.github.com/users/martinthomson/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/martinthomson/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/martinthomson/subscriptions",
      "organizations_url": "https://api.github.com/users/martinthomson/orgs",
      "repos_url": "https://api.github.com/users/martinthomson/repos",
      "events_url": "https://api.github.com/users/martinthomson/events{/privacy}",
      "received_events_url": "https://api.github.com/users/martinthomson/received_events",
      "type": "User",
      "site_admin": false
    },
    "labels": [
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/alt-svc",
        "name": "alt-svc",
        "color": "fbca04"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/proposal",
        "name": "proposal",
        "color": "aaddff"
      }
    ],
    "state": "open",
    "assignee": null,
    "milestone": null,
    "comments": 2,
    "created_at": "2014-05-01T21:14:02Z",
    "updated_at": "2014-06-05T20:34:43Z",
    "closed_at": null,
    "pull_request": {
      "url": "https://api.github.com/repos/http2/http2-spec/pulls/474",
      "html_url": "https://github.com/http2/http2-spec/pull/474",
      "diff_url": "https://github.com/http2/http2-spec/pull/474.diff",
      "patch_url": "https://github.com/http2/http2-spec/pull/474.patch"
    },
    "body": "For #443.\r\n\r\nThe discussion we've had so far on this seems to have converged on the use of ALTSVC frames for indicating what alternative service is in use.  This enacts that change, and adds a congruent use of the Alt-Svc header field for use in contexts other than HTTP/2.\r\n\r\nThat means that the Service header field can be removed safely.\r\n\r\nI've also added some notes regarding tracking of clients.  I think that is sufficient (I'll make this another pull request if you'd prefer it that way)."
  },
  {
    "url": "https://api.github.com/repos/http2/http2-spec/issues/444",
    "labels_url": "https://api.github.com/repos/http2/http2-spec/issues/444/labels{/name}",
    "comments_url": "https://api.github.com/repos/http2/http2-spec/issues/444/comments",
    "events_url": "https://api.github.com/repos/http2/http2-spec/issues/444/events",
    "html_url": "https://github.com/http2/http2-spec/issues/444",
    "id": 30483008,
    "number": 444,
    "title": "Flushing Alt-Svc Cache",
    "user": {
      "login": "mnot",
      "id": 74384,
      "avatar_url": "https://avatars.githubusercontent.com/u/74384?",
      "gravatar_id": "38f92fdb9ac1b5213d40c595b14ec620",
      "url": "https://api.github.com/users/mnot",
      "html_url": "https://github.com/mnot",
      "followers_url": "https://api.github.com/users/mnot/followers",
      "following_url": "https://api.github.com/users/mnot/following{/other_user}",
      "gists_url": "https://api.github.com/users/mnot/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/mnot/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/mnot/subscriptions",
      "organizations_url": "https://api.github.com/users/mnot/orgs",
      "repos_url": "https://api.github.com/users/mnot/repos",
      "events_url": "https://api.github.com/users/mnot/events{/privacy}",
      "received_events_url": "https://api.github.com/users/mnot/received_events",
      "type": "User",
      "site_admin": false
    },
    "labels": [
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/alt-svc",
        "name": "alt-svc",
        "color": "fbca04"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/design",
        "name": "design",
        "color": "02d7e1"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/editor-ready",
        "name": "editor-ready",
        "color": "0b02e1"
      }
    ],
    "state": "open",
    "assignee": null,
    "milestone": null,
    "comments": 1,
    "created_at": "2014-03-31T03:20:50Z",
    "updated_at": "2014-06-05T19:39:37Z",
    "closed_at": null,
    "body": "For the load balancing use case, it's necessary for clients to always flush altsvc cache upon a network change, but right now they're only required to examine the cache for suspicious entries. We should discuss whether this should be upgraded to always flush."
  },
  {
    "url": "https://api.github.com/repos/http2/http2-spec/issues/397",
    "labels_url": "https://api.github.com/repos/http2/http2-spec/issues/397/labels{/name}",
    "comments_url": "https://api.github.com/repos/http2/http2-spec/issues/397/comments",
    "events_url": "https://api.github.com/repos/http2/http2-spec/issues/397/events",
    "html_url": "https://github.com/http2/http2-spec/issues/397",
    "id": 27936394,
    "number": 397,
    "title": "\"Segments\"",
    "user": {
      "login": "mnot",
      "id": 74384,
      "avatar_url": "https://avatars.githubusercontent.com/u/74384?",
      "gravatar_id": "38f92fdb9ac1b5213d40c595b14ec620",
      "url": "https://api.github.com/users/mnot",
      "html_url": "https://github.com/mnot",
      "followers_url": "https://api.github.com/users/mnot/followers",
      "following_url": "https://api.github.com/users/mnot/following{/other_user}",
      "gists_url": "https://api.github.com/users/mnot/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/mnot/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/mnot/subscriptions",
      "organizations_url": "https://api.github.com/users/mnot/orgs",
      "repos_url": "https://api.github.com/users/mnot/repos",
      "events_url": "https://api.github.com/users/mnot/events{/privacy}",
      "received_events_url": "https://api.github.com/users/mnot/received_events",
      "type": "User",
      "site_admin": false
    },
    "labels": [
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/editorial",
        "name": "editorial",
        "color": "02e10c"
      }
    ],
    "state": "open",
    "assignee": {
      "login": "mnot",
      "id": 74384,
      "avatar_url": "https://avatars.githubusercontent.com/u/74384?",
      "gravatar_id": "38f92fdb9ac1b5213d40c595b14ec620",
      "url": "https://api.github.com/users/mnot",
      "html_url": "https://github.com/mnot",
      "followers_url": "https://api.github.com/users/mnot/followers",
      "following_url": "https://api.github.com/users/mnot/following{/other_user}",
      "gists_url": "https://api.github.com/users/mnot/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/mnot/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/mnot/subscriptions",
      "organizations_url": "https://api.github.com/users/mnot/orgs",
      "repos_url": "https://api.github.com/users/mnot/repos",
      "events_url": "https://api.github.com/users/mnot/events{/privacy}",
      "received_events_url": "https://api.github.com/users/mnot/received_events",
      "type": "User",
      "site_admin": false
    },
    "milestone": null,
    "comments": 3,
    "created_at": "2014-02-20T04:24:43Z",
    "updated_at": "2014-02-20T19:15:40Z",
    "closed_at": null,
    "body": "6.2 HEADERS' description of END_STREAM is the only place that mentions \"segments\", as per the most recently added feature. \r\n\r\nThis is very easy to miss there. If we had something that talked about intermediaries in general, this would be a good place to introduce \"segments\" more completely."
  },
  {
    "url": "https://api.github.com/repos/http2/http2-spec/issues/363",
    "labels_url": "https://api.github.com/repos/http2/http2-spec/issues/363/labels{/name}",
    "comments_url": "https://api.github.com/repos/http2/http2-spec/issues/363/comments",
    "events_url": "https://api.github.com/repos/http2/http2-spec/issues/363/events",
    "html_url": "https://github.com/http2/http2-spec/issues/363",
    "id": 26287142,
    "number": 363,
    "title": "TLS renegotiation",
    "user": {
      "login": "briansmith",
      "id": 16816,
      "avatar_url": "https://avatars.githubusercontent.com/u/16816?",
      "gravatar_id": "708ad4f6494aae9c1711a823f447d415",
      "url": "https://api.github.com/users/briansmith",
      "html_url": "https://github.com/briansmith",
      "followers_url": "https://api.github.com/users/briansmith/followers",
      "following_url": "https://api.github.com/users/briansmith/following{/other_user}",
      "gists_url": "https://api.github.com/users/briansmith/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/briansmith/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/briansmith/subscriptions",
      "organizations_url": "https://api.github.com/users/briansmith/orgs",
      "repos_url": "https://api.github.com/users/briansmith/repos",
      "events_url": "https://api.github.com/users/briansmith/events{/privacy}",
      "received_events_url": "https://api.github.com/users/briansmith/received_events",
      "type": "User",
      "site_admin": false
    },
    "labels": [
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/design",
        "name": "design",
        "color": "02d7e1"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/editor-ready",
        "name": "editor-ready",
        "color": "0b02e1"
      },
      {
        "url": "https://api.github.com/repos/http2/http2-spec/labels/security",
        "name": "security",
        "color": "fbca04"
      }
    ],
    "state": "open",
    "assignee": null,
    "milestone": null,
    "comments": 11,
    "created_at": "2014-01-25T05:21:23Z",
    "updated_at": "2014-06-06T16:11:09Z",
    "closed_at": null,
    "body": "In Firefox, we refuse servers' requests for client certificates if we've done connection coalescing on a connection. This has potential interop issues. For example, Apache can be configured to require a client certificate (via a TLS renegotiation) only upon the first request to some particular paths. This can easily put us in a state where we cannot access such paths:\r\n\r\n1. Browser connects to https://foo.example.org\r\n2. Browser coalesces https://bar.example.org onto that same connection.\r\n3. Browser requests https://foo.example.org/requires-cert.\r\n4. Server requests (demands) client cert\r\n5. Browser refuses to send one.\r\n6. Server returns 401/403/whatever error.\r\n\r\nNote that in theory coalescing could happen before any requests are sent on the connection. Thus, this has the potential to make some client-certificate-required resources completely inaccessible to the client, unless the client retries the request. The client probably won't retry the request, and may not be allowed to if it isn't idempotent.\r\n\r\nBesides the problems with connection coalescing, TLS renegotiation doesn't fit well with browser UI. In particular, it is possible for the server to send a different server cert in a renegotiation than it sent in the initial handshake. It could do this renegotiation even in the middle of a request or response, even in HTTP/1. This problem is even more likely to occur in HTTP/2 because transactions are multiplexed instead of being serialized. The browser thus cannot map requests/responses to certificates in a well-defined way. Yet, usually browsers present server identity in such a way that would make any server certificate change potentially misleading to the user.\r\n\r\nI am sure we can think of many reasons why TLS renegotiation is a bad idea for HTTP servers (of any version). It's probably too late to do anything meaningful about it for HTTP/1 since clients have to deal with existing servers that do it. it would be great to improve things for HTTP/2.\r\n\r\nHowever, because TLS <= 1.2 sends the client certificate in the clear, many implementations (including, IIRC, IIS in its default configuration) do a handshake without a client certificate and then immediately renegotiate to get the client certificate, to protect the client's identity. Thus, we probably cannot prohibit renegotiations that occur at the start of the handshake. A further complication is that TLS False Start interacts poorly with such schemes because the client may send a request on the connection before the server can even request the renegotiation that it intended to occur before any requests were made."
  }
]