Re: A proposal from Yoav Nir on 2013-11-18 (ietf-http-wg@w3.org from October to December 2013)

From: Yoav Nir <synp71@live.com>
Date: Mon, 18 Nov 2013 14:19:21 +0200
To: ietf-http-wg@w3.org
Message-ID: <BLU0-SMTP64EBB79DDD4127357EFCCB1E40@phx.gbl>

On 18/11/13 1:44 PM, Mark Nottingham wrote:
> On 18 Nov 2013, at 10:18 pm, Yoav Nir <synp71@live.com> wrote:
>
>> I think HTTP is used for so many things in so many scenarios, that trying to give general guidance in the base spec is asking for trouble (example: when checking certificate revocation, you use HTTP to download either a CRL or an OCSP response. You can't use authenticated TLS there).
> Again, we’re taking about the case of a browser on the “open” Web — the many special cases don’t apply here.
>
I don't think we'll reach consensus on what is appropriate for the open 
web. But I think de-coupling that discussion from the base document is a 
win. I personally don't think that denying the benefits of HTTP/2 to 
websites that choose not to use encryption is justified. But browser 
support will be determined by market forces, unless the browser vendors 
would like to form a benevolent cartel forcing the correct policy on all 
the web.

BTW: Downloading CRLs or OCSP responses to verify certificates used in 
HTTPS is very much part of the open web.

Yoav

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Monday, 18 November 2013 12:19:52 UTC