- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 7 Dec 2010 21:53:03 +1100
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Greg Wilkins <gregw@webtide.com>, hybi HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
On 07/12/2010, at 6:04 PM, Maciej Stachowiak wrote: >> >> These are all absolutely still concerns, but we have proposals for addressing them. > > Indeed, we do, and they result in something that is reasonably HTTP-compatible, enough that you could make a two-way server. "Reasonable" is a judgement call, and from what I see, there's disagreement about this, much coming from the people making those servers. [...] > If the goal was not to interoperate with HTTP at all, it would be much better to use an approach where everything is encrypted. One plausible way to do that would be to restrict the protocol to TLS-only, at which point the nextprotoneg proposal can take care of dispatch without having to involve the HTTP layer. I think this is a plausible option, but many hybi WG members have expressed concern about the performance issues and other barriers to deployment of an all-TLS solution. > > Another approach is to invent our own crypto and start with a key exchange. Inventing crypto makes me nervous compared to using something known (such TLS), and might well impose many of the same costs that folks are worried about with TLS. These are two possible approaches, but they aren't they only approaches possible. > It's also worth noting that operating over ports 80/443 and coexisting with an HTTP server are goals that come from our charter and requirements document, so abandoning those goals would likely require a major reboot of the group. No, the charter says nothing about what port(s) the protocol will run over. The requirements you refer to are a -01 draft, so they don't represent IETF consensus. Have there been any WG consensus calls on them? > We already have implementors impatient to see a production-shippable protocol, it doesn't seem so great to me to go back to the drawing board. AIUI changing the handshake is already the subject of a lot of discussion, so this is hardly "going back to the drawing board." I fully agree we need to unblock this discussion and ship a protocol. I'm trying to understand why people are digging in their heels on a design that's supposed to be helping server deployment, when AFAICT the server folks are telling them it's not workable. Regards, -- Mark Nottingham http://www.mnot.net/
Received on Tuesday, 7 December 2010 10:53:44 UTC