W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: SPDY = HTTP/2.0 or not ?

From: Ross Nicoll <jrn@jrn.me.uk>
Date: Mon, 26 Mar 2012 13:04:42 +0100
Message-ID: <4F705B5A.6050905@jrn.me.uk>
To: Mike Belshe <mike@belshe.com>
CC: ietf-http-wg@w3.org
On 26/03/2012 11:21, Mike Belshe wrote:

>> 
>>     The choice of crypto or no crypto is for the HTTP-service provider to
>>     decide, it is not for us to decide on their behalf.
>> 
>> 
> Nobody ever said we'd take away an unsecure path.  I just don't want it
> to be the default.  Make security opt-out rather than opt-in.
> 
> How much global legislation about liability for accidentally leaked
> information do you need before you'll believe that we have a
> responsibility here?

My interpretation of many of the arguments was that there should be no
insecure option. I'd be happy to see a secure by default protocol with
an option to force it to plain-text (or similar).

I suspect if the protocol was secure-only, people would either not adopt
it (and stick to HTTP 1.1) or would create their own variants with
security disabled (likely resulting in multiple slightly incompatible
protocols). I would consider either of these outcomes worse than letting
people shoot themselves in the foot with a protocol that tries to
outline the risks to them.


Ross
Received on Monday, 26 March 2012 12:05:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT