RFC 7838, "HTTP Alternative Services", April 2016Source of RFC: httpbis (art)
Errata ID: 6481
Publication Format(s) : TEXT
Reported By: Lucas Pardue
Date Reported: 2021-03-13
Rejected by: Francesca Palombini
Date Rejected: 2021-03-15
Section 2.4 says:
Furthermore, if the connection to the alternative service fails or is unresponsive, the client MAY fall back to using the origin or another alternative service. Note, however, that this could be the basis of a downgrade attack, thus losing any enhanced security properties of the alternative service.
It should say:
Alt-Svc fall back is described in section 2.4 and mentions security properties, so I was expecting to see something about fall back in the security considerations. This might be implicitly covered by Section 9.3 but it could potentially be made more clear.
General clarifications and request for improvements to the RFC in a possible future update of the document should be proposed using channels other than the errata process, such as the WG mailing list.