- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Sun, 17 Nov 2013 15:49:13 +0000
- To: Tim Bray <tbray@textuality.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
So you seem to be assuming mnot's plan, and not the variant where http:// URIs in HTTP/2.0 use non-authenticated TLS. I still prefer that latter, which has more pros and fewer cons I think, though its details need to be figured out. My take: Add: P3: Firesheep. P4: Security that is more than just MTI is much more likely to be tested and have fewer interop problems that if the same mechanisms are optional. P5: Belshe's comment: the more security is built-in the less you need to ask the user about. Cheers, S.
Received on Sunday, 17 November 2013 15:49:37 UTC