Let me fork off a question: AFAIK, a 307 redirect can redirect to any other location and not only a different origin, e.g.:
GET https://mycloudreg.example.com/.well-known/brski/requestvoucher -> 307, Location: https://mycloudreg.example2.com/whatthecke/strangeurl AFAIK, there is no text prohibiting this in rfc8995 (or for that matter rfc7030). I don't think such a redirect would work, because the pledge wouldn't know what the URL for followup commands such as requestvoucher (or any EST command) would be. I can see how redirect to other URL prefies than .well-known might be useful though, even without changing web origin, because some more complex web server may be built that way, but effectively i think EST and BRSKI can only work if the redirect location is cnsistent in its last wo elements: GET https://mycloudreg.example.com/.well-known/brski/requestvoucher -> 307, Location: /<whatever>/brski/requestvoucher In this case, the pledge would then extrapolate also GET https://mycloudreg.example.com/<whatever>/est/cacerts Aka: assume both brski and es live under <whatever> Yes/No/Maybe ? Cheers toerless On Sun, Jun 13, 2021 at 07:41:18AM +0200, Carsten Bormann wrote: > On 13. Jun 2021, at 04:22, Michael Richardson <[email protected]> wrote: > > > > "another web origin" --- I guess I don't know what this means. > > See RFC 6454 "The Web Origin Concept???. > > In short, scheme + authority. > > > Does it mean redirecting from https://one.example/foo to > > https://two.example/bar, > > Different origins https://one.example vs. https://two.example > > > or does it refer to https://one.example/foo to https://one.example/bar > > etc. > > Same origin https://one.example > > I don???t like the term that much, but it is in wide use in the combination > ???Same origin principle???. > In RFC 7252, we use ???Origin server??? to identify the serving endpoint. > (Of course, ???endpoint" has been hijacked as a needless synonym of > ???resource??? in OAuth.) > > Somebody should write a Web terminology glossary :-) > > Grüße, Carsten > > _______________________________________________ > Anima mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/anima -- --- [email protected] _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
