Re: HTTPS 2.0 without TLS extension? from 陈智昌 on 2013-07-23 (ietf-http-wg@w3.org from July to September 2013)

From: 陈智昌 <willchan@chromium.org>
Date: Tue, 23 Jul 2013 10:34:29 -0700
To: Zhong Yu <zhong.j.yu@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAA4WUYjS=JXYAYKe0ueqUFbdEUC3pM8xuj--b=F=WPgnSc9xYg@mail.gmail.com>

FWIW, it seems reasonable to me to have the spec allow HTTPS 2.0 without
TLS extension. If you want to Upgrade, be my guest. I have no plans for my
browser to support that, and I don't think Google servers will support it
either, because we care strongly about the advantages of TLS-ALPN vs
Upgrade.

IIRC, Twitter doesn't use NPN for the same reasons (lack of TLS extension
support on certain mobile clients). I believe they don't care about public
interop though, they just use dedicated VIPs with clients they control.

On Mon, Jul 22, 2013 at 5:06 AM, Zhong Yu <zhong.j.yu@gmail.com> wrote:

> The draft mandates TLS extension ALPN for any https 2.0 connections,
> but why is that necessary? Why can't we also establish an https 2.0
> connection through the Upgrade mechanism, without ALPN? TLS extension
> may not be available/convenient on some platforms for some time;
> requiring it may discourage some potential implementers.
>
> Zhong Yu
>
>

Received on Tuesday, 23 July 2013 17:34:56 UTC