Re: A proposal from James M Snell on 2013-11-17 (ietf-http-wg@w3.org from October to December 2013)

From: James M Snell <jasnell@gmail.com>
Date: Sun, 17 Nov 2013 11:00:00 -0800
To: Zhong Yu <zhong.j.yu@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABP7RbfuDpBZjKZL6fnPPUzQwutSLzJ7T1jrL4T3ZfV4JDsMkw@mail.gmail.com>

If you choose to deploy plaintext http/2 for your server,  and you want
people to use that,  then use http2://. Detection of browser capability to
handle http2 links is orthogonal.  If you want a better, more reliable,
more seamless experience,  use  http2 over TLS.

The idea here is to purposefully not solve all of the possible issues with
plaintext http/2. Rather,  we make plaintext http/2 possible for those
willing to put up with the extra pain while optimizing only for the secure
path.
 On Nov 17, 2013 10:53 AM, "Zhong Yu" <zhong.j.yu@gmail.com> wrote:

> As a web page author, how do I choose which scheme, http:// or
> http2://, to use for a link? Do I need to detect the browser version
> the page is rendered on?
>
> On Sun, Nov 17, 2013 at 12:08 PM, James M Snell <jasnell@gmail.com> wrote:
> > The volume on the other threads on the security subject is causing far
> too
> > much noise. I have a proposal that offers a compromise approach. I posted
> > about this partially in one of the threads but I'm afraid it got lost in
> the
> > noise. Others have touched on the same basic idea:
> >
> > 1. By default, assign plain text http/2 to a new port.
> > 2. Document that plaintext http/2 can be sent over port 80 but document
> the
> > various possible issues with reliability.
> > 3. Strongly recommend that http/2 be sent over TLS instead of plaintext.
> > 4. Establish a new http2 URL protocol prefix for plaintext http2 over the
> > new default port
> >
> > This does several things.
> >
> > A. It makes plaintext http/2 possible but significantly harder. Some.
> Would
> > argue that makes plaintext http/2 "undeployable"... The same people who
> have
> > argued that have also argued that plaintext http/2 should not be used at
> > all. Therefore, those people really do not lose anything by following
> this
> > approach.
> >
> > B. It makes http/2 over TLS the default for the public internet since
> that's
> > the only option that would be broadly deployable on today's
> infrastructure.
> >
> > C. It makes it less likely that we would have to deal with the upgrade
> dance
> > on port 80. Which is a good thing. Http:// URLs would always mean
> http/1.x.
> > Http2://example:80 would mean http/2 over port 80.
> >
> > D. Developers would be forced to make a conscious choice to use plaintext
> > http/2 over an established default port. There's zero ambiguity.
> >
> > The folks who are arguing for TLS only really lose nothing with this
> > approach. It still, over course, does nothing about the mitm issues on
> port
> > 443, but its a start.
> >
> > - James
> >
>

Received on Sunday, 17 November 2013 19:00:27 UTC