W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: HTTP 2.0 mandatory security vs. Amateur Radio

From: Roberto Peon <grmocg@gmail.com>
Date: Thu, 14 Nov 2013 12:39:22 -0800
Message-ID: <CAP+FsNcmX_YcE+ZwQPxqsS7HD-hGd9yy4Z6xauRWuVhu4iOK6g@mail.gmail.com>
To: James Snell <jasnell@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Julian Reschke <julian.reschke@gmx.de>, Bruce Perens <bruce@perens.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
There is a separate argument for authenticated vs non-authenticated TLS
that from a security perspective.

-=R
On Nov 14, 2013 10:35 AM, "James M Snell" <jasnell@gmail.com> wrote:

> As far as I can tell, none of us who are saying no to mandatory TLS
> aren't wishing "for plaintext http2 over the internet on port 80". By
> all means, make HTTP2 over TLS the default setup. What we are saying
> is that making HTTP2 over TLS *mandatory* is not the right thing to
> do.
>
> On Thu, Nov 14, 2013 at 12:25 PM, Roberto Peon <grmocg@gmail.com> wrote:
> > As I seem to be saying over and over...
> >
> > We can wish for plaintext http2 over the internet on port 80 as much as
> we
> > want, but it won't happen since it is not reliable, and the nature of
> that
> > unreliability is not predictable.
> >
> > Few websites will be willing to turn on http2 if it means losing 10-20%
> of
> > their user base. And that really is what we are talking about.
> >
> > -=R
> >
> > On Nov 14, 2013 8:40 AM, "Julian Reschke" <julian.reschke@gmx.de> wrote:
> >>
> >> On 2013-11-14 18:49, Roberto Peon wrote:
> >>>
> >>> There is a means of opting out, however, which exists and is widely
> >>> deployed: http1
> >>
> >>
> >> And the WG has a mandate to develop a replacement for 1.1, called 2.0.
> If
> >> we do not indent to develop that protocol anymore, we should re-charter.
> >>
> >>> There was near unanimity at the plenary that we should do something
> >>> about pervasive monitoring, and while I don't believe that there were
> >>> any actuonable , unambiguous dieectuves , the spirit of the room was
> >>> quite clear. The IETF intends to attempt to do something about this.
> >>
> >>
> >> Yes. What we disagree on what that means for HTTP: URIs.
> >>
> >>> ...
> >>
> >>
> >> Best regards, Julian
>
Received on Thursday, 14 November 2013 20:39:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC